Zomato


Most disclosed (19 disclosures) — Cross-site Scripting (XSS) - Generic

gerben_javado has disclosed the most with 10 reports!

105 total issues disclosed

$63,700 total paid publicly


Launched on 2016-01-15

Accepts reports via HackerOne



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
SQL Injection in www.hyperpure.com Code Injection hoteyes Critical 2021-02-22
[www.zomato.com] Leaking Email Addresses of merchants via reset password feature Improper Access Control - Generic prateek_0490 No rating 2021-02-18
[api.zomato.com] Abusing LocalParams (city_id) to Inject SOLR query Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) zzzhacker13 Low 2020-08-11
[www.zomato.com] Abusing LocalParams (city) to Inject SOLR query SQL Injection zzzhacker13 Low 2020-08-10
[www.zomato.com] Blind SQL Injection in /php/widgets_handler.php SQL Injection zzzhacker13 Critical 2020-08-10
Solr Injection in `user_id` parameter at :/v2/leaderboard_v2.json SQL Injection zzzhacker13 Critical 2020-08-10
[www.zomato.com] Blind SQL Injection in /php/geto2banner SQL Injection zzzhacker13 Critical 2020-08-10
Ability to manipulate price with a max threshold of `<1 Rupee` in support rider parameter Violation of Secure Design Principles 0xdexter Low 2020-08-08
Availing Zomato gold by using a random third-party `wallet_id` Business Logic Errors pandaaaa Critical 2020-08-07
Possible to enumerate Addresses of users using AddressId and guessing the delivery_subzone None supplied bigbug Medium 2020-07-15
Stealing Zomato X-Access-Token: in Bulk using HTTP Request Smuggling on api.zomato.com HTTP Request Smuggling defparam Critical 2020-07-09
Stealing Zomato X-Access-Token: in Bulk using HTTP Request Smuggling on api.zomato.com HTTP Request Smuggling defparam Critical 2020-07-09
Stealing Zomato X-Access-Token: in Bulk using HTTP Request Smuggling on api.zomato.com HTTP Request Smuggling defparam Critical 2020-07-09
[www.zomato.com] Blind XSS on one of the Admin Dashboard Cross-site Scripting (XSS) - Generic pandaaaa High 2019-11-19
Information Disclosure through Sentry Instance ███████ Information Exposure Through Debug Information chajer High 2019-09-19
Able to manipulate order amount by removing cancellation amount and cause financial impact Business Logic Errors sjvino High 2019-08-16
[www.zomato.com] Blind XSS in one of the admin dashboard Cross-site Scripting (XSS) - Generic khoiasd High 2019-05-01
[api.zomato.com] Able to manipulate order amount Business Logic Errors pasw High 2019-04-16
[www.zomato.com] Availing Zomato Gold membership for free by tampering plan id(s) Business Logic Errors pasw Medium 2019-03-18
[www.zomato.com] CORS Misconfiguration, could lead to disclosure of sensitive information None supplied ahd911 Medium 2018-11-28
Reflected XSS on developers.zomato.com Cross-site Scripting (XSS) - Reflected areizen Low 2018-10-05
[www.zomato.com] Tampering with Order Quantity and paying less amount then actual amount, leads to business loss Business Logic Errors akhil-reni High 2018-09-17
Phishing user to download malicious app could lead to leakage of User Access Token, Email, Name and Profile photo via exported RemoteService Information Disclosure shivasurya Low 2018-09-11
[www.zomato.com] SQLi - /php/██████████ - item_id SQL Injection gerben_javado Critical 2018-09-11
[www.zomato.com] SQLi - /php/██████████ - item_id SQL Injection gerben_javado Critical 2018-09-11
IDOR to delete images from other stores Insecure Direct Object Reference (IDOR) emitrani Low 2018-09-05
[Zomato Android/iOS] Theft of user session None supplied bagipro No rating 2018-06-17
[www.zomato.com] SQLi on `order_id` parameter SQL Injection saltedfish Critical 2018-05-30
XSS in "explore-keywords-dropdown" results. Cross-site Scripting (XSS) - Reflected gcurtiss_ None 2018-05-09
[www.zomato.com] IDOR - Gold Subscription Details, Able to view "Membership ID" and "Validity Details" of other Users Insecure Direct Object Reference (IDOR) riya Low 2018-04-28
[Zomato's Blog] POST based XSS on https://www.zomato.com/blog/wp-admin/admin-ajax.php?td_theme_name=Newspaper&v=8.2 Cross-site Scripting (XSS) - Reflected inferno- Low 2018-04-26
[www.zomato.com] Abusing LocalParams to Inject Code through ███████ query None supplied bigshaq High 2018-04-26
[www.zomato.com] Getting a complimentary dessert [Zomato Treats] on ordering a Meal at no cost None supplied harsh13 Medium 2018-04-25
IDOR in treat subscriptions Insecure Direct Object Reference (IDOR) harsh13 Medium 2018-04-25
Clickjacking: Delete Account, Change privacy settings, Rate business, follow/unfollow (IE) UI Redressing (Clickjacking) foobar7 Medium 2018-04-15
URL is vulnerable to clickjacking UI Redressing (Clickjacking) hacker_one_one No rating 2018-04-14
Zomato.com Reflected Cross Site Scripting Cross-site Scripting (XSS) - Reflected akamble937 Low 2018-04-08
Reflected XSS on https://www.zomato.com Cross-site Scripting (XSS) - Reflected strukt Medium 2018-04-07
Outdated MediaElement.js Reflected Cross-Site Scripting (XSS) Cross-site Scripting (XSS) - Generic mrtn No rating 2018-04-03
Blind XSS - Report review - Admin panel Cross-site Scripting (XSS) - Stored gerben_javado Medium 2018-03-29
[www.zomato.com] Privilege Escalation - /php/restaurant_menus_handler.php Privilege Escalation gerben_javado No rating 2018-03-29
[www.zomato.com] Privilege Escalation - Control reviews - /████dashboard_handler.php Privilege Escalation gerben_javado No rating 2018-03-29
[www.zomato.com] Boolean SQLi - /███████.php SQL Injection gerben_javado No rating 2018-03-29
[www.zomato.com] Boolean SQLi - /█████.php SQL Injection gerben_javado No rating 2018-03-29
SSRF in https://www.zomato.com████ allows reading local files and website source code Server-Side Request Forgery (SSRF) adibou Critical 2018-02-28
[https://reviews.zomato.com] Time Based SQL Injection SQL Injection samengmg Critical 2018-02-02
[www.zomato.com] IDOR - Delete/Deactivate ANY/ALL Promos through a Post Request at **clients/promoDataHandler.php** Insecure Direct Object Reference (IDOR) prateek_0490 No rating 2017-12-28
Admin Access to a domain used for development and admin access to internal dashboards on that domain Improper Access Control - Generic prateek_0490 No rating 2017-12-28
User Profiles Leak PII in HTML Document for Mobile Browser User Agents Privacy Violation chriszielinski Medium 2017-12-28
[www.zomato.com] IDOR - Delete/Deactivate any special menu of any Restaurants from Zomato Insecure Direct Object Reference (IDOR) prateek_0490 No rating 2017-11-28
Use any User to Follow you (Increase Followers) [IDOR] Insecure Direct Object Reference (IDOR) bountypls Low 2017-11-28
[www.zomato.com/dubai/gold] CRITICAL - Allowing arbitrary amount to become a GOLD Member Improper Access Control - Generic prateek_0490 Medium 2017-10-27
[www.zomato.com] Unauthenticated access to Internal Sales Data of Zomato through an unrestricted endpoint Improper Authentication - Generic prateek_0490 No rating 2017-10-27
[www.zomato.com] IDOR - Leaking all Personal Details of all Zomato Users through an endpoint Insecure Direct Object Reference (IDOR) prateek_0490 High 2017-10-27
Potential server misconfiguration leads to disclosure of vendor/ directory Forced Browsing hextitan Medium 2017-10-23
IDOR to cancel any table booking and leak sensitive information such as email,mobile number,uuid Insecure Direct Object Reference (IDOR) darwinks High 2017-10-22
Unauthorized update of merchants' information via /php/merchant_details.php Improper Access Control - Generic adibou High 2017-09-19
[www.zomato.com] Union SQLi + Waf Bypass SQL Injection gerben_javado No rating 2017-09-19
CSRF in the "Add restaurant picture" function Cross-Site Request Forgery (CSRF) 0xamir No rating 2017-09-15
Length extension attack leading to HTML injection Cryptographic Issues - Generic b1t Medium 2017-09-01
Restaurant payment information leakage None supplied adibou Critical 2017-08-24
Posting to Twitter CSRF on php/post_twitter_authenticate.php Cross-Site Request Forgery (CSRF) kuromatae Low 2017-08-19
Login to any account with the emailaddress Improper Authentication - Generic gerben_javado High 2017-08-17
Bypass OTP verification when placing Order Improper Access Control - Generic madrobot High 2017-08-09
SQL Injection, exploitable in boolean mode SQL Injection securitygab Critical 2017-07-19
[█████████] Hardcoded credentials in Android App Use of Hard-coded Credentials gerben_javado Critical 2017-07-19
NexTable: Credentials exposure Cryptographic Issues - Generic mrtuxracer High 2017-06-30
CORS Misconfiguration on www.zomato.com None supplied albinowax No rating 2017-06-30
CSRF To Like/Unlike Photos Cross-Site Request Forgery (CSRF) pabster Medium 2017-06-30
xss found in zomato Cross-site Scripting (XSS) - DOM rasi-ras Medium 2017-06-30
Reflected XSS in Zomato Mobile - category parameter Cross-site Scripting (XSS) - Reflected harry_mg Medium 2017-06-26
Reflected XSS on business-blog.zomato.com - Part 2 Cross-site Scripting (XSS) - Generic dsopas No rating 2017-06-18
Reflected XSS on business-blog.zomato.com - Part I Cross-site Scripting (XSS) - Generic dsopas No rating 2017-06-18
XSS in flashmediaelement.swf (business-blog.zomato.com) Cross-site Scripting (XSS) - Generic madrobot Medium 2017-06-17
MailPoet Newsletters <= 2.7.2 - Authenticated Reflected Cross-Site Scripting (XSS) Cross-site Scripting (XSS) - Generic madrobot High 2017-06-17
Amazon S3 bucket misconfiguration (share) Improper Access Control - Generic glc No rating 2017-05-18
CSS None supplied top No rating 2017-05-18
Clickjacking login page of http://book.zomato.com/ UI Redressing (Clickjacking) benoculars No rating 2017-05-18
Unvalidated redirect on user profile website Open Redirect roshanpty No rating 2017-05-18
Visibility Robots.txt file Information Disclosure dhanunjaya No rating 2017-05-18
Unauthorised Access to Anyone's User Account Improper Authentication - Generic bhavukjain1 Critical 2017-03-29
takeover a lot of accounts None supplied yipman High 2017-03-08
test.zba.se is vulnerable to SSL POODLE Cryptographic Issues - Generic hackerhero Medium 2017-02-27
Base alpha version code exposure Information Disclosure cha5m No rating 2016-10-14
Twitter Disconnect CSRF Cross-Site Request Forgery (CSRF) hussain_0x3c No rating 2016-09-30
CSRF AT INVITING PEOPLE THOUGH PHONE NUMBER Violation of Secure Design Principles kiraak-boy No rating 2016-09-14
XSS on zomato.com Cross-site Scripting (XSS) - Generic spam404 No rating 2016-08-14
Several XSS affecting Zomato.com and developers.zomato.com Cross-site Scripting (XSS) - Generic harry_mg No rating 2016-08-02
XSS onmouseover Cross-site Scripting (XSS) - Generic idomin No rating 2016-08-02
Two XSS vulns in widget parameters (all_collections.php and o2.php) Cross-site Scripting (XSS) - Generic pr0tagon1st No rating 2016-08-02
Stored Cross site scripting Cross-site Scripting (XSS) - Generic amirisme No rating 2016-06-28
Instagram OAuth2 Implementation Leaks Access Token; Allows for Cross-Site Script Inclusion (XSSI) Information Disclosure dejavuln No rating 2016-06-22
Reflected Cross-Site Scripting in www.zomato.com/php/instagram_tag_relay Cross-site Scripting (XSS) - Generic dejavuln No rating 2016-06-16
Bypass OTP verification when placing Order Improper Authentication - Generic thisishrsh No rating 2016-06-01
Authentication Bypassing and Sensitive Information Disclosure on Verify Email Address in Registration Flow Improper Authentication - Generic vivek-p No rating 2016-05-28
Persistent XSS on Reservation / Booking Page Cross-site Scripting (XSS) - Generic murat No rating 2016-05-27
Reflected XSS on Zomato API Cross-site Scripting (XSS) - Generic murat No rating 2016-05-27
XSS and CSRF in Zomato Contact form Cross-site Scripting (XSS) - Generic vibhuti_nath No rating 2016-05-24
Persistent input validation mail encoding vulnerability in the "just followed you" email notification. Cross-site Scripting (XSS) - Generic pr0tagon1st No rating 2016-04-07
CSRF AT SELECTING ZAMATO HANDLE Cross-Site Request Forgery (CSRF) kiraak-boy No rating 2016-03-18
Weak Password Policy Improper Authentication - Generic mugeesahmed No rating 2016-03-13
XSS via modified Zomato widget (res_search_widget.php) Cross-site Scripting (XSS) - Generic pr0tagon1st No rating 2016-03-11
Subdomain Takeover Information Disclosure kiraak-boy No rating 2016-03-09
Remote File Upload Vulnerability in business-blog.zomato.com Code Injection missoum1307 No rating 2016-03-06
Cross Site Scripting - type Patameter Cross-site Scripting (XSS) - Generic vagg-a-bond No rating 2016-03-06