Yelp Program Statistics

View program

45 total issues disclosed

$26,900 total paid publicly

Most disclosed (8 disclosures) — UI Redressing (Clickjacking)

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
RCE on build server via misconfigured pip install Download of Code Without Integrity Check alexbirsan Critical 2021-02-09
X-Forward-For Header allows to bypass access restrictions Improper Access Control - Generic parzel Medium 2020-10-26
IDOR in locid parameter allowing to view others accounts Profile Locations Business Logic Errors cocoh__23 Low 2020-09-02
Clickjacking lead to remove review None supplied alaayousef Medium 2020-09-01
Unauthorized Use of Victim Credit Card Privacy Violation hk755a Low 2020-08-21
CRITICAL-CLICKJACKING at Yelp Reservations Resulting in exposure of victim Private Data (Email info) + Victim Credit Card MissUse. Improper Access Control - Generic hk755a Medium 2020-08-21
ClickJacking on IMPORTANT Functions of Yelp UI Redressing (Clickjacking) hk755a Low 2020-08-21
I.D.O.R TO EDIT ALL USER'S CREDIT CARD INFORMATION+(Partial credit card info disclosure) Insecure Direct Object Reference (IDOR) hk755a Medium 2020-08-19
I.D.O.R To Order,Book,Buy,reserve On YELP FOR FREE (UNAUTHORIZED USE OF OTHER USER'S CREDIT CARD) Insecure Direct Object Reference (IDOR) hk755a Critical 2020-08-19
CRITICAL Insecure Direct Object Reference (I.D.O.R) - Link Other User's Credit Card Privacy Violation hk755a High 2020-08-19
Nginx version disclosure via forbidden page Information Disclosure overlax Low 2017-11-21
ClickJacking UI Redressing (Clickjacking) jessepinkman None 2017-11-09
Clickjacking @ Main Domain[] UI Redressing (Clickjacking) h4ck3r0ne Low 2017-11-09
[Yelp Blog] Backslash in search string causes JS error Violation of Secure Design Principles denispugachev None 2017-11-09
Research papers on yelp are getting indexed by google bots. Information Disclosure us111 No rating 2017-11-09
One of url is redirecting to domain which is not yet purchased Open Redirect us111 No rating 2017-11-09
User can be fooled to Bookmark any restaurant by clickjacking UI Redressing (Clickjacking) na5ne3t Low 2017-11-09
ClickJacking in editing business name UI Redressing (Clickjacking) mohammad_obaid Low 2017-11-09
IDNs displayed in unicode in messages/about/talk sections (Homograph Attack) Violation of Secure Design Principles hk755a No rating 2017-11-09
Password reset token not expiring Improper Authentication - Generic hk755a No rating 2017-11-09
Leaking sensitive information lead to compromise employer API keys Insecure Storage of Sensitive Information xsam High 2017-11-09 is vulnerable to SWEET32 attack Cryptographic Issues - Generic pkkothawade No rating 2017-11-09
Content spoofing on yelp.onelogin Open Redirect japz Low 2017-11-09
Missing X-Frame-Options header UI Redressing (Clickjacking) abdul_r3hman No rating 2017-11-09
Click jacking in delete image of user in Yelp UI Redressing (Clickjacking) mohamedsherif Medium 2017-11-09
Weak Password Policy Violation of Secure Design Principles k4yy1s Low 2017-11-09
Ngnix Server version disclosure 404 Page! Information Disclosure babayaga_ No rating 2017-11-09
IDOR(indirect object references) on add friend,complement and send message Violation of Secure Design Principles w3b7ricks73r No rating 2017-11-09
[] CRLF Injection None supplied bobrov No rating 2017-11-09
Error Page Text Injection Violation of Secure Design Principles r0h17 None 2017-11-09
Possible content spoofing due to missing error page Violation of Secure Design Principles pisarenko Low 2017-11-09
Nginx server version disclosure on engineeringblog Information Disclosure japz None 2017-11-09
Clickjacking: X-Frame Header Missing UI Redressing (Clickjacking) vaxo No rating 2017-11-09
Verification of email addresses possible through Information Disclosure coder13 No rating 2017-09-16
Firefly's verify_access_token() function does a byte-by-byte comparison of HMAC values. Cryptographic Issues - Generic edoverflow None 2017-07-10
Clickjacking Vulnerability found on Yelp Cross-Site Request Forgery (CSRF) hckyguy77 Low 2017-05-12
Information disclosure - emails disclosed in response > Cross-Site Request Forgery (CSRF) quistertow No rating 2017-05-11
CSRF on signup endpoint ( Cross-Site Request Forgery (CSRF) denispugachev No rating 2017-03-01
Able to download arbitrary PHP files at Privilege Escalation ret2got None 2017-02-06
X.509 certificate validation fails on international vanity domains Violation of Secure Design Principles tk0 None 2017-02-06
Self-XSS via location cookie city field when getting suggestions for a new location Cross-site Scripting (XSS) - Generic haquaman No rating 2016-11-30
Requesting Show CheckIn Alert for Non Friend User Information Disclosure vinesh1989 Low 2016-10-27
Verification of E-Mail address possible on and Information Disclosure badagent No rating 2016-10-27
Bybass The Closing of the account and logged again to your account Improper Authentication - Generic youssefmahmoud No rating 2016-10-21
Access to internal CMS containing private Data Improper Authentication - Generic nahamsec No rating 2016-10-07