Yelp


Most disclosed (8 disclosures) — UI Redressing (Clickjacking)

hk755a has disclosed the most with 8 reports!

45 total issues disclosed

$26,900 total paid publicly


Launched on 2014-12-01

Accepts reports via HackerOne



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
RCE on build server via misconfigured pip install Download of Code Without Integrity Check alexbirsan Critical 2021-02-09
X-Forward-For Header allows to bypass access restrictions Improper Access Control - Generic parzel Medium 2020-10-26
IDOR in locid parameter allowing to view others accounts Profile Locations Business Logic Errors cocoh__23 Low 2020-09-02
Clickjacking lead to remove review None supplied alaayousef Medium 2020-09-01
Unauthorized Use of Victim Credit Card Privacy Violation hk755a Low 2020-08-21
CRITICAL-CLICKJACKING at Yelp Reservations Resulting in exposure of victim Private Data (Email info) + Victim Credit Card MissUse. Improper Access Control - Generic hk755a Medium 2020-08-21
ClickJacking on IMPORTANT Functions of Yelp UI Redressing (Clickjacking) hk755a Low 2020-08-21
I.D.O.R TO EDIT ALL USER'S CREDIT CARD INFORMATION+(Partial credit card info disclosure) Insecure Direct Object Reference (IDOR) hk755a Medium 2020-08-19
I.D.O.R To Order,Book,Buy,reserve On YELP FOR FREE (UNAUTHORIZED USE OF OTHER USER'S CREDIT CARD) Insecure Direct Object Reference (IDOR) hk755a Critical 2020-08-19
CRITICAL Insecure Direct Object Reference (I.D.O.R) - Link Other User's Credit Card Privacy Violation hk755a High 2020-08-19
Nginx version disclosure via forbidden page Information Disclosure overlax Low 2017-11-21
ClickJacking UI Redressing (Clickjacking) jessepinkman None 2017-11-09
Clickjacking @ Main Domain[www.yelp.com] UI Redressing (Clickjacking) h4ck3r0ne Low 2017-11-09
[Yelp Blog] Backslash in search string causes JS error Violation of Secure Design Principles denispugachev None 2017-11-09
Research papers on yelp are getting indexed by google bots. Information Disclosure us111 No rating 2017-11-09
One of yelp.com url is redirecting to domain which is not yet purchased Open Redirect us111 No rating 2017-11-09
User can be fooled to Bookmark any restaurant by clickjacking UI Redressing (Clickjacking) na5ne3t Low 2017-11-09
ClickJacking in editing business name UI Redressing (Clickjacking) mohammad_obaid Low 2017-11-09
IDNs displayed in unicode in messages/about/talk sections (Homograph Attack) Violation of Secure Design Principles hk755a No rating 2017-11-09
Password reset token not expiring Improper Authentication - Generic hk755a No rating 2017-11-09
Leaking sensitive information lead to compromise employer API keys Insecure Storage of Sensitive Information xsam High 2017-11-09
Yelp.com is vulnerable to SWEET32 attack Cryptographic Issues - Generic pkkothawade No rating 2017-11-09
Content spoofing on yelp.onelogin Open Redirect japz Low 2017-11-09
Missing X-Frame-Options header UI Redressing (Clickjacking) abdul_r3hman No rating 2017-11-09
Click jacking in delete image of user in Yelp UI Redressing (Clickjacking) mohamedsherif Medium 2017-11-09
Weak Password Policy Violation of Secure Design Principles k4yy1s Low 2017-11-09
Ngnix Server version disclosure 404 Page! Information Disclosure babayaga_ No rating 2017-11-09
IDOR(indirect object references) on add friend,complement and send message Violation of Secure Design Principles w3b7ricks73r No rating 2017-11-09
[engineeringblog.yelp.com] CRLF Injection None supplied bobrov No rating 2017-11-09
Error Page Text Injection Violation of Secure Design Principles r0h17 None 2017-11-09
Possible content spoofing due to missing error page Violation of Secure Design Principles pisarenko Low 2017-11-09
Nginx server version disclosure on engineeringblog Information Disclosure japz None 2017-11-09
Clickjacking: X-Frame Header Missing UI Redressing (Clickjacking) vaxo No rating 2017-11-09
Verification of email addresses possible through https://www.yelp.com/signup/facebook Information Disclosure coder13 No rating 2017-09-16
Firefly's verify_access_token() function does a byte-by-byte comparison of HMAC values. Cryptographic Issues - Generic edoverflow None 2017-07-10
Clickjacking Vulnerability found on Yelp Cross-Site Request Forgery (CSRF) hckyguy77 Low 2017-05-12
Information disclosure - emails disclosed in response > staging.seatme.us Cross-Site Request Forgery (CSRF) quistertow No rating 2017-05-11
CSRF on signup endpoint (auto-api.yelp.com) Cross-Site Request Forgery (CSRF) denispugachev No rating 2017-03-01
Able to download arbitrary PHP files at yelpblog.com Privilege Escalation ret2got None 2017-02-06
X.509 certificate validation fails on international vanity domains Violation of Secure Design Principles tk0 None 2017-02-06
Self-XSS via location cookie city field when getting suggestions for a new location Cross-site Scripting (XSS) - Generic haquaman No rating 2016-11-30
Requesting Show CheckIn Alert for Non Friend User Information Disclosure vinesh1989 Low 2016-10-27
Verification of E-Mail address possible on https://biz.yelp.com/login and https://biz.yelp.com/forgot Information Disclosure badagent No rating 2016-10-27
Bybass The Closing of the account and logged again to your account Improper Authentication - Generic youssefmahmoud No rating 2016-10-21
Access to internal CMS containing private Data Improper Authentication - Generic nahamsec No rating 2016-10-07