Add files via upload

NaveenBen · Apr 4, 2019 · 9561b66 · 9561b66
1 parent 6378d9c
commit 9561b66
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 0 deletions.
diff --git a/InsufficientlyProtectedCredentials/233402.txt b/InsufficientlyProtectedCredentials/233402.txt
@@ -0,0 +1,16 @@
+ReportLink:https://hackerone.com/reports/233402
+WeaknessName:Insufficiently Protected Credentials
+Reporter:https://hackerone.com/z3t
+ReportedTo:Mixmax(mixmax)
+BountyAmount:
+Severity:medium
+State:Closed
+DateOfDisclosure:31.05.2017 3:24:37
+
+Summary:
+
+None of the weakness categories really fit this so I apologize for that.
+
+The subdomain `sales.mixmax.com` points to `151.101.16.229`, a `webflow.io` proxy server. Because it 404s, this leads me to believe that a subdomain takeover is possible through the webflow service as whatever this is pointing to is unused. 
+
+Due to odd DNS configurations I'm not 100% sure on this but thought I'd make you aware just in case.
diff --git a/InsufficientlyProtectedCredentials/329798.txt b/InsufficientlyProtectedCredentials/329798.txt
@@ -0,0 +1,31 @@
+ReportLink:https://hackerone.com/reports/329798
+WeaknessName:Insufficiently Protected Credentials
+Reporter:https://hackerone.com/0x0g
+ReportedTo:HackerOne(security)
+BountyAmount:500.0
+Severity:medium
+State:Closed
+DateOfDisclosure:25.03.2018 21:33:50
+
+Summary:
+One of our photographers accidentally took a photograph that exposed the WiFi password of the H1-202 event, which we consider bad OPSEC. This photo was published on our Facebook page and the [public hackathon leaderboard](/hackathons/h1202/live). We've updated the policy regarding photographs during these events and deleted references to the password. We ended up rewarding a bounty because this could've impacted the availability of the local network if an outsider would be present at the location. We don't believe this could've impacted the confidentiality or integrity of the data on the network. Connectivity is really important to our hackers during such events. We'd like to acknowledge @0x0g for looking out for us and the hackers who participate in our events!
+**Summary:**
+
+the h1-202 event took several photos for the event that rotate on the *public* leaderboard. One of these photos disclosed the local wifi SSID and Password.
+
+**Description:**
+SSID: HackerOne
+Password: █████████
+
+### Steps To Reproduce
+
+1. Look at the photo attached
+
+
+### Remediation
+
+Have your staff photographer revie the background for photos to not disclose passwords.
+
+## Impact
+
+Local attackers could connect to the wifi and sniff any unencypted traffic, as well as DoS the network (potentially).
diff --git a/InsufficientlyProtectedCredentials/411620.txt b/InsufficientlyProtectedCredentials/411620.txt
@@ -0,0 +1,12 @@
+ReportLink:https://hackerone.com/reports/411620
+WeaknessName:Insufficiently Protected Credentials
+Reporter:https://hackerone.com/imran1121
+ReportedTo:Chaturbate(chaturbate)
+BountyAmount:300.0
+Severity:medium
+State:Closed
+DateOfDisclosure:11.01.2019 8:01:38
+
+Summary:
+The hacker found that the server replays some form field data back in the response when there were form validation errors, which could be cached or viewed by someone with physical access to the same device used to complete the form. The fix was to delete the form data from showing in the response. 
+The target was https://billingsupport.chaturbate.com/customer_support/information_form/