Skip to content

Latest commit

 

History

History
259 lines (258 loc) · 36.4 KB

TOPAUTH.md

File metadata and controls

259 lines (258 loc) · 36.4 KB
Raw

Top Authentication reports from HackerOne:

  1. Potential pre-auth RCE on Twitter VPN to X (Formerly Twitter) - 1190 upvotes, $20160
  2. Improper Authentication - any user can login as other user with otp/logout & otp/login to Snapchat - 916 upvotes, $0
  3. Subdomain Takeover to Authentication bypass to Roblox - 746 upvotes, $0
  4. [ RCE ] Through stopping the redirect in /admin/* the attacker able to bypass Authentication And Upload Malicious File to Mail.ru - 340 upvotes, $0
  5. Shopify admin authentication bypass using partners.shopify.com to Shopify - 298 upvotes, $20000
  6. Bypass Password Authentication for updating email and phone number - Security Vulnerability to X (Formerly Twitter) - 267 upvotes, $0
  7. Misuse of an authentication cookie combined with a path traversal on app.starbucks.com permitted access to restricted data to Starbucks - 227 upvotes, $0
  8. Spring Actuator endpoints publicly available and broken authentication to LY Corporation - 224 upvotes, $12500
  9. Through blocking the redirect in /* the attacker able to bypass Authentication To see Sensitive Data sush as Game Keys , Emails ,.. to Razer - 196 upvotes, $1000
  10. Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com to Uber - 168 upvotes, $0
  11. Authentication bypass on gist.github.com through SSH Certificates to GitHub - 164 upvotes, $10000
  12. Web Authentication Endpoint Credentials Brute-Force Vulnerability to HackerOne - 151 upvotes, $0
  13. 2-factor authentication can be disabled when logged in without confirming account password to Localize - 144 upvotes, $0
  14. [c-api.city-mobil.ru] Client authentication bypass leads to information disclosure to Mail.ru - 143 upvotes, $0
  15. Incorrect param parsing in Digits web authentication to X (Formerly Twitter) - 122 upvotes, $0
  16. RCE/LFI on test Jenkins instance due to improper authentication flow to Snapchat - 108 upvotes, $0
  17. Thailand - a small number of SMB CCTV footage backup servers were accessible without authentication. to Starbucks - 92 upvotes, $0
  18. User account compromised authentication bypass via oauth token impersonation to Picsart - 91 upvotes, $0
  19. SAML Authentication Bypass on uchat.uberinternal.com to Uber - 83 upvotes, $8500
  20. Account Takeover via SMS Authentication Flow to Zenly - 83 upvotes, $0
  21. Admin Authentication Bypass Lead to Admin Account Takeover to UPS VDP - 80 upvotes, $0
  22. Pre-auth Remote Code Execution on multiple Uber SSL VPN servers to Uber - 77 upvotes, $2000
  23. Account takeover w/o interaction for a user that doesn't have 2fa enabled via 2fa linking and improper auth at /api/2fa/verify to Helium - 77 upvotes, $0
  24. Docker Registry HTTP API v2 exposed in HTTP without authentication leads to docker images dumping and poisoning to Semmle - 76 upvotes, $0
  25. OneLogin authentication bypass on WordPress sites via XMLRPC to Uber - 73 upvotes, $7000
  26. RCE, SQLi, IDOR, Auth Bypass and XSS at [staff.███.edu.eg ] to ██████ - 71 upvotes, $0
  27. access to profile & reset password page without authentication to Tennessee Valley Authority - 63 upvotes, $0
  28. Broken Authentication - Security token gets captured via man in the middle attack to Automattic - 62 upvotes, $0
  29. Authentication Bypass to (CVE-2023-2982) to CS Money - 59 upvotes, $100
  30. Improper Authentication in Vimeo's API 'versions' endpoint. to Vimeo - 58 upvotes, $0
  31. Ability to access all user authentication tokens, leads to RCE to GitLab - 57 upvotes, $0
  32. insecure storage of information, you can view any file uploaded to the server without authentication and only with a single link to Radancy - 55 upvotes, $0
  33. Improper Authentication (Login without Registration with any user) at ████ to U.S. Dept Of Defense - 53 upvotes, $0
  34. Ability to log in as any user without authentication if █████████ is empty to Ubiquiti Inc. - 52 upvotes, $0
  35. OneLogin authentication bypass on WordPress sites to Uber - 51 upvotes, $10000
  36. Bypass Password Authentication to Update the Password to X (Formerly Twitter) - 51 upvotes, $0
  37. Two-factor authentication enforcement bypass to Nextcloud - 50 upvotes, $750
  38. Basic auth header on WebDAV requests is not bruteforce protected to Nextcloud - 49 upvotes, $0
  39. Authentication bypass in Global Site Selector allows an attacker to log in as any user to Nextcloud - 48 upvotes, $0
  40. Authentication bypass on sso.ubnt.com via subdomain takeover of ping.ubnt.com to Ubiquiti Inc. - 47 upvotes, $0
  41. [Android] Directory traversal leading to disclosure of auth tokens to Slack - 46 upvotes, $3500
  42. Authentication bypass for ███ leads to take over any users account. to Krisp - 44 upvotes, $0
  43. Login CSRF : Login Authentication Flaw on https://liberapay.com/ to Liberapay - 43 upvotes, $0
  44. Missing authentication in buddy group API of LINE TIMELINE to LY Corporation - 41 upvotes, $3000
  45. Authentication Bypass on Icinga monitoring server to Shopify - 40 upvotes, $0
  46. Improper Authentication inside the Rockstar Games Launcher which leads to Account takeover to some extend to Rockstar Games - 39 upvotes, $750
  47. Authentication token and CSRF token bypass to Enjin - 39 upvotes, $300
  48. Broken Authentication and Session Management Flaw After Change Password and Logout to Omise - 39 upvotes, $0
  49. bypass two-factor authentication in Android apps and web to TikTok - 39 upvotes, $0
  50. Two-factor authentication bypass on Grab Android App to Grab - 38 upvotes, $0
  51. PHPMYADMIN Setup is accessible without authentication on https://lml.lahitapiola.fi/ to LocalTapiola - 36 upvotes, $0
  52. Authentication bypass on JetPack SSO manager - Allows to access the administration panel of wordpress without user interaction to Automattic - 33 upvotes, $0
  53. Bypass Password Authentication to Update the Password to X (Formerly Twitter) - 31 upvotes, $0
  54. Authentication & Registration Bypass in Newspack Extended Access to Automattic - 31 upvotes, $0
  55. Bypass two-factor authentication to Slack - 30 upvotes, $500
  56. Authentication CSRF resulting in unauthorized account access on Krisp app to Krisp - 30 upvotes, $0
  57. IBM Maximo Asset Management could allow a remote attacker to bypass authentication due to improper access controls to IBM - 30 upvotes, $0
  58. Authentication Bypass - Chaining two vulnerabilities leads to account takeover at en.instagram-brand.com to Automattic - 29 upvotes, $0
  59. bypass two-factor authentication. to LinkedIn - 29 upvotes, $0
  60. Improper Authentication on Alertmanager instance to IBM - 29 upvotes, $0
  61. Authentication Bypass with usage of PreSignedURL to ownCloud - 28 upvotes, $2000
  62. [data-07.uberinternal.com] SSRF in Portainer app lead to access to Internal Docker API without Auth to Uber - 28 upvotes, $500
  63. Broken Authentication and session management OWASP A2 to HackerOne - 28 upvotes, $0
  64. [jitsi-meet] Authentication Bypass when using JWT w/ public keys to 8x8 - 28 upvotes, $0
  65. Bypass for forced re-authentication upon biometrics change to Bitwarden - 28 upvotes, $0
  66. Authentication Bypass by abusing Insecure crypto tokens in /lib/OA/Dal/PasswordRecovery.php: to Revive Adserver - 27 upvotes, $0
  67. Username restriction bypass with SSL client authentication to Open-Xchange - 26 upvotes, $1000
  68. CSRF in all API endpoints when authenticated using HTTP Authentication to Shopify - 26 upvotes, $0
  69. Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) to U.S. Dept Of Defense - 26 upvotes, $0
  70. Bypass two-factor authentication to Cloudflare Public Bug Bounty - 25 upvotes, $250
  71. Admins can change authentication details of user configured external storage to Nextcloud - 25 upvotes, $100
  72. Authentication bypass and RCE on the https://████ due to exposed Cisco TelePresence SX80 with default credentials to U.S. Dept Of Defense - 25 upvotes, $0
  73. Broken Authentication Session Token Bug to Courier - 25 upvotes, $0
  74. Shop App - Attacker is able to intercept authorization code during authentication (OAuth) and is able to get access to Microsoft Outlook email account to Shopify - 24 upvotes, $900
  75. Uninstalling Rockstar Games Launcher for Windows (64-bit), then reinstalling keeps you logged in without authentication to Rockstar Games - 24 upvotes, $250
  76. Authentication Issue to Coinbase - 24 upvotes, $200
  77. Two-factor authentication can be disabled when logged in without 2fa or password confirmation to Zivver - 24 upvotes, $0
  78. Developer uploaded files missing authentication on LINE GAME Developers site(gdc.game.line.me) to LY Corporation - 24 upvotes, $0
  79. [www.boozt.com] - Authentication bypass to Boozt Fashion AB - 23 upvotes, $200
  80. CVE-2024-25128: Apache Airflow: Authentication Bypass when Legacy OpenID(2.0) is in use as AUTH_TYPE to Internet Bug Bounty - 22 upvotes, $2580
  81. Docker Registry without authentication leads to docker images download to U.S. Dept Of Defense - 22 upvotes, $0
  82. Administration page visible without authentication to Visma Public - 21 upvotes, $100
  83. Broken Authentication and session management OWASP A2 to Liberapay - 21 upvotes, $0
  84. Improper restriction of excessive authentication attempts on WebDAV endpoint to Nextcloud - 21 upvotes, $0
  85. Wordpress 4.7 - CSRF -> HTTP SSRF any private ip:port and basic-auth to WordPress - 20 upvotes, $0
  86. Broken Authentication and Session Management to Phabricator - 19 upvotes, $0
  87. Access to all █████████ files, including CAC authentication bypass to U.S. Dept Of Defense - 19 upvotes, $0
  88. Client side authentication leads to Auth Bypass to U.S. Dept Of Defense - 18 upvotes, $0
  89. Disavowed an email without any authentication to Liberapay - 18 upvotes, $0
  90. Bypassing password authentication of users that have 2FA enabled to GitLab - 17 upvotes, $0
  91. IDOR - Access to private video thumbnails even if video requires password authentication to Pornhub - 17 upvotes, $0
  92. Pre-Auth Blind NoSQL Injection leading to Remote Code Execution to Rocket.Chat - 17 upvotes, $0
  93. Uninstalling Mattermost Launcher for Windows (64-bit), then reinstalling keeps you logged in without authentication to Mattermost - 17 upvotes, $0
  94. Dovecot authentication is vulnerable to timing attacks. to Open-Xchange - 16 upvotes, $600
  95. Authentication Issue to Nextcloud - 16 upvotes, $50
  96. 2-factor authentication bypass to Algolia - 16 upvotes, $0
  97. WEBrick::HTTPAuth::DigestAuth authentication is vulnerable to regular expression denial of service (ReDoS) to Ruby - 16 upvotes, $0
  98. Store Deletion or Sell without authentication to Shopify - 16 upvotes, $0
  99. broken authentication (password reset link not expire after use in https://network.tochka.com/sign-up) to QIWI - 16 upvotes, $0
  100. Uninstalling Slack for Windows (64-bit), then reinstalling keeps you logged in without authentication to Slack - 15 upvotes, $500
  101. Drupal 7 pre auth sql injection and remote code execution to Internet Bug Bounty - 15 upvotes, $0
  102. Mobile Authentication Endpoint Credentials Brute-Force Vulnerability to New Relic - 15 upvotes, $0
  103. anti_ransomware_service.exe REST API does not require authentication to Acronis - 15 upvotes, $0
  104. Authentication Bypass & ApacheTomcat Misconfiguration in [██] to 8x8 - 15 upvotes, $0
  105. Two Factor Authentication Bypass to Ubiquiti Inc. - 14 upvotes, $0
  106. Akismet API keys are exposed by authentication method to Automattic - 14 upvotes, $0
  107. WordPress admin is accessible without HTTP authentication to Showmax - 13 upvotes, $0
  108. Improper Restriction of Excessive Authentication Attempts at http://terrafoot.ru/login.php (Rate Limit bypass via IP Rotation) to Mail.ru - 13 upvotes, $0
  109. Administration Authentication Bypass on https://█████ to U.S. Dept Of Defense - 13 upvotes, $0
  110. Basic Authentication Heap Overflow to Internet Bug Bounty - 13 upvotes, $0
  111. Leak of Platform Authentication credentials via Repeater to PortSwigger Web Security - 12 upvotes, $200
  112. SSO Authentication Bypass to New Relic - 12 upvotes, $0
  113. Broken Authentication – Session Token bug to Weblate - 12 upvotes, $0
  114. SAML authentication bypass to Rocket.Chat - 12 upvotes, $0
  115. Attacker can bypass authentication build on ingress external auth (nginx.ingress.kubernetes.io/auth-url) to Kubernetes - 12 upvotes, $0
  116. Pre-auth Denial-of-Service in Dovecot RPA implementation to Open-Xchange - 11 upvotes, $550
  117. Broken authentication and session management flaw to Coursera - 11 upvotes, $0
  118. Broken Authentication & Session Management (Login Bypass) at support.owox.com to OWOX, Inc. - 11 upvotes, $0
  119. pre-auth Stored XSS in comments via javascript: url when administrator edits user supplied comment to WordPress - 11 upvotes, $0
  120. Store Admin Page Accessible Without Authentication at http://www.grouplogic.com/ADMIN/store/index.cfm to Acronis - 10 upvotes, $250
  121. Text injection on Auth problem at urbandictionary.com to Urban Dictionary - 10 upvotes, $0
  122. Significant Two step verification Authentication Bypass to Dropbox - 10 upvotes, $0
  123. Hi! Security Team Rocket.Chat, It's possible to get information about the users emails without authentication to Rocket.Chat - 10 upvotes, $0
  124. Improper Restriction of Excessive Authentication Attempts at https://top.mail.ru/edit? for site counter (Rate Limit bypass via IP Rotation) to Mail.ru - 10 upvotes, $0
  125. Post-Auth Blind NoSQL Injection in the users.list API leads to Remote Code Execution to Rocket.Chat - 10 upvotes, $0
  126. Disclosure of internal information using hidden NTLM authentication leading to an exploit server to MTN Group - 10 upvotes, $0
  127. Broken Authentication to U.S. Dept Of Defense - 10 upvotes, $0
  128. Authentication bypass in ████████ to MTN Group - 10 upvotes, $0
  129. Java: CWE-522 Insecure basic authentication to GitHub Security Lab - 9 upvotes, $2300
  130. Authentication Bypass on monitoring server to Shopify - 9 upvotes, $0
  131. Authentication bypass vulnerability on a DoD website to U.S. Dept Of Defense - 9 upvotes, $0
  132. Account Takeover using Third party Auth CSRF to Weblate - 9 upvotes, $0
  133. Login CSRF : Login Authentication Flaw to Weblate - 9 upvotes, $0
  134. Lack of Sanitization and Insufficient Authentication to WordPress - 9 upvotes, $0
  135. Exposed authentication (/cs/Satellite) to LocalTapiola - 9 upvotes, $0
  136. Basic auth details is still work on report ( 351555 ) to Reverb.com - 9 upvotes, $0
  137. [express-laravel-passport] Improper Authentication to Node.js third-party modules - 9 upvotes, $0
  138. Improper Restriction of Excessive Authentication Attempts at https://ucs.ru/login to Mail.ru - 9 upvotes, $0
  139. Improper Restriction of Excessive Authentication Attempts via https://certification.mail.ru/auth-form/?form=auth_certy (Rate limit Bypass) to Mail.ru - 9 upvotes, $0
  140. Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) to U.S. Dept Of Defense - 9 upvotes, $0
  141. Improper Authentication via previous backup code login to Basecamp - 9 upvotes, $0
  142. SMB User Authentication Bypass and Persistence to ownCloud - 8 upvotes, $0
  143. Cleartext protocol after bank authentication (yrityspalvelu.tapiola.fi) to LocalTapiola - 8 upvotes, $0
  144. Authentication Required When password change to Passit - 8 upvotes, $0
  145. Double authentication bypass to Mail.ru - 8 upvotes, $0
  146. Physical Access to Mobile App Allows Local Attribute Updates without Authentication to Uber - 8 upvotes, $0
  147. Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file to Nextcloud - 8 upvotes, $0
  148. Unauthorized Access to Internal Server Panel without Authentication to U.S. Dept Of Defense - 8 upvotes, $0
  149. Elasticsearch is currently open without authentication on https://██████l to U.S. Dept Of Defense - 8 upvotes, $0
  150. WordPress Authentication Denial of Service to Instacart - 7 upvotes, $100
  151. Category- Broken Authentication and Session Management (leads to account compromise if some conditions are met) to HackerOne - 7 upvotes, $0
  152. Broken authentication and invalidated email address leads to account takeover to X (Formerly Twitter) - 7 upvotes, $0
  153. Authentication Bypass in Updating Personal Information to Instacart - 7 upvotes, $0
  154. [ipm.informatica.com]- Broken Authentication to Informatica - 7 upvotes, $0
  155. The auth token does not expire on logging out and even after logging out all sessions to Mail.ru - 7 upvotes, $0
  156. Improper Restriction of Excessive Authentication Attempts at o2-ac.my.com/token to Mail.ru - 7 upvotes, $0
  157. Password authentication when changing information bypass. Bypass of report #721341 to Khan Academy - 7 upvotes, $0
  158. Improper Restriction of Excessive Authentication Attempts at https://mirror.w1.dwar.ru/login.php to Mail.ru - 7 upvotes, $0
  159. Authentication bypass leads to sensitive data exposure (token+secret) to Slack - 6 upvotes, $2000
  160. Broken Authentication and Session Management to Secret - 6 upvotes, $0
  161. Critical : Access to group videos where videos are restricted for all users(Broken authentication ) to ok.ru - 6 upvotes, $0
  162. X-Content-Type-Options header missing at Auth Login to GoCD - 6 upvotes, $0
  163. Payment gateway status transferred to Shopify without authentication to Shopify - 6 upvotes, $0
  164. [gitmm.corp.mail.ru] Auth Bypass, Information Disclosure to Mail.ru - 6 upvotes, $0
  165. HTTP - Basic Authentication on https://www.stellar.org/wp-login.php to Stellar.org - 6 upvotes, $0
  166. Cross Site Request Forgery in auth in https://auth.ratelimited.me/ to RATELIMITED - 6 upvotes, $0
  167. Compromise of auth via subset/superset namespace names. to Kubernetes - 6 upvotes, $0
  168. Improper authentication on phpmyadmin portal which is hosted in https://eventapp.engelvoelkers.com to Engel & Völkers Technology GmbH - 6 upvotes, $0
  169. Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) to U.S. Dept Of Defense - 6 upvotes, $0
  170. Add me email address Authentication bypass to LinkedIn - 6 upvotes, $0
  171. Authentication bypass leads to Information Disclosure at U.S Air Force "https://███" to U.S. Dept Of Defense - 6 upvotes, $0
  172. Pre-auth buffer over-read in Dovecot NTLM implementation to Open-Xchange - 5 upvotes, $550
  173. Broken Authentication & Session Management - Failure to Invalidate Session on all other browsers at Password change to Paragon Initiative Enterprises - 5 upvotes, $0
  174. [tor] control connection pre-auth DoS (infinite loop) with --enable-bufferevents to Tor - 5 upvotes, $0
  175. Improper authentication on registration to Semrush - 5 upvotes, $0
  176. https://█████████ Vulnerable to CVE-2018-0296 Cisco ASA Path Traversal Authentication Bypass to U.S. Dept Of Defense - 5 upvotes, $0
  177. Post-Auth Stored XSS with User Interaction leads to Remote Code Execution to Rocket.Chat - 5 upvotes, $0
  178. Tokenless GUI Authentication to Kubernetes - 5 upvotes, $0
  179. Authentication Bypass Using Default Credentials on █████ to U.S. Dept Of Defense - 5 upvotes, $0
  180. Urgent : Disclosure of all the apps with hash ID in mopub through API request (Authentication bypass) to X (Formerly Twitter) - 4 upvotes, $280
  181. Broken Authentication (including Slack OAuth bugs) to Slack - 4 upvotes, $0
  182. HTTP-Basic Authentication on logs.nextcloud.com to Nextcloud - 4 upvotes, $0
  183. Configuration and/or source code files on uchat-staging.uberinternal.com can be viewed without OneLogin SSO Authentication to Uber - 4 upvotes, $0
  184. Broken Authentication: A project addition request can be used multiple time for different users to Semrush - 4 upvotes, $0
  185. *.shopify.com - Authentication bypass to Shopify - 4 upvotes, $0
  186. Grafana default username password authentication into the Grafana platform of the grafana.ev-cloud-platform.engelvoelkers.com to Engel & Völkers Technology GmbH - 4 upvotes, $0
  187. Authentication Bypass - Email Verification code bypass in account registration process. to UPchieve - 4 upvotes, $0
  188. [Java] CWE-522: Insecure LDAP authentication to GitHub Security Lab - 3 upvotes, $1800
  189. Twitter Ads Campaign information disclosure through admin without any authentication. to X (Formerly Twitter) - 3 upvotes, $560
  190. No rate-limit in Two factor Authentication leads to bypass using bruteforce attack to Algolia - 3 upvotes, $100
  191. MD5 used for Key-Auth signatures to WP API - 3 upvotes, $0
  192. apps.owncloud.com: SSL Server Allows Anonymous Authentication Vulnerability (SMTP) to ownCloud - 3 upvotes, $0
  193. Auth bypass on directory.corp.ubnt.com to Ubiquiti Inc. - 3 upvotes, $0
  194. Critical IDOR - Get Authentication Details of any Terminal/Gatekeeper to Veris - 3 upvotes, $0
  195. Defect-Security | Driver-Broken Authentication | Able to update the Subscription Setting anonymously to Uber - 3 upvotes, $0
  196. Open Redirect via "next" parameter in third-party authentication to Weblate - 3 upvotes, $0
  197. Can upload files without authentication on AirFibre 3.2 to Ubiquiti Inc. - 3 upvotes, $0
  198. Existing sessions valid after removing third party auth to Weblate - 3 upvotes, $0
  199. The Uber Promo Customer Endpoint Does Not Implement Multifactor Authentication, Blacklisting or Rate Limiting to Uber - 3 upvotes, $0
  200. No authentication on email address for password reset functionality/ https://platform.thecoalition.com/forgot-password to Coalition, Inc. - 3 upvotes, $0
  201. Missing Two Factor Authentication in /admin/login to CFP Time - 3 upvotes, $0
  202. Able to view Backend Database dur to improper authentication to U.S. Dept Of Defense - 3 upvotes, $0
  203. Two-factor authentication (2FA) Bypass to BlockDev Sp. Z o.o - 3 upvotes, $0
  204. Broken Authentication and session management OWASP A2 to WakaTime - 3 upvotes, $0
  205. █████████ - Insecure download cookie generation allows bypass of CAC authentication, access to deleted and locked files to U.S. Dept Of Defense - 3 upvotes, $0
  206. Improper Restriction of Excessive Authentication Attempts at https://api.warrobots.com/auth (Pixonic Games) to Mail.ru - 3 upvotes, $0
  207. SAML authentication bypass through unauthenticated addSamlProvider Meteor Call to Rocket.Chat - 3 upvotes, $0
  208. The authentication code when activating 2FA can be used again to log in to Shopify - 3 upvotes, $0
  209. No admin audit log for auth tokens to Nextcloud - 3 upvotes, $0
  210. [JAVA]: CWE-347 - Improper Verification of Cryptographic Signature : Potential for Auth Bypass to GitHub Security Lab - 3 upvotes, $0
  211. Potential Authentication Bypass through "autologin" feature to ImpressCMS - 3 upvotes, $0
  212. Bypass local authentication (PIN code) to Rocket.Chat - 3 upvotes, $0
  213. TOTP 2 Factor Authentication Bypass to Rocket.Chat - 3 upvotes, $0
  214. [Python] CWE-287: LDAP Improper Authentication to GitHub Security Lab - 2 upvotes, $1800
  215. [Python] CWE-522: Insecure LDAP Authentication to GitHub Security Lab - 2 upvotes, $1800
  216. Authentication Failed Mobile version to Shopify - 2 upvotes, $500
  217. Broken Authentication on Badoo to Bumble - 2 upvotes, $427
  218. Top 10 2013-A2-Broken Authentication and Session Management - wordpress.com to Automattic - 2 upvotes, $0
  219. broken authentication to Concrete CMS - 2 upvotes, $0
  220. Weak Random Number Generator for Auth Tokens to joola.io - 2 upvotes, $0
  221. Two-factor authentication (via SMS) to Coinbase - 2 upvotes, $0
  222. Authentication bypass at fast.corp.yahoo.com to Yahoo! - 2 upvotes, $0
  223. Verification code issues for Two-Step Authentication to Automattic - 2 upvotes, $0
  224. Bypassed password authentication before enabling OTP verification to Shopify - 2 upvotes, $0
  225. Email Authentication Bypass to Paragon Initiative Enterprises - 2 upvotes, $0
  226. Authentication Bypassing and Sensitive Information Disclosure on Verify Email Address in Registration Flow to Zomato - 2 upvotes, $0
  227. Missing authentication on Notification setting . to Uber - 2 upvotes, $0
  228. Not clearing hex-decoded variable after usage in Authentication to Paragon Initiative Enterprises - 2 upvotes, $0
  229. Improper access control when an added email address is deleted from authentication to Weblate - 2 upvotes, $0
  230. putty pscp client-side post-auth stack buffer overwrite when processing remote file size to Internet Bug Bounty - 2 upvotes, $0
  231. Password authentication at newsletter.nextcloud.com discloses username list to Nextcloud - 2 upvotes, $0
  232. [h1-2006 CTF] Multiple vulnerabilities leading to account takeover and two-factor authentication bypass allows to send pending bounty payments to h1-ctf - 2 upvotes, $0
  233. [authmagic-timerange-stateless-core] Improper Authentication to Node.js third-party modules - 2 upvotes, $0
  234. 2 factor authentication design flaw to Coinbase - 1 upvotes, $0
  235. BROKEN AUTHENTICATION IN MOBILE VERIFICATION to X (Formerly Twitter) - 1 upvotes, $0
  236. unvalid open authentication with facebook to Vimeo - 1 upvotes, $0
  237. open authentication bug to Coinbase - 1 upvotes, $0
  238. Authentication errors in server side validaton of E-MAIL to Gratipay - 1 upvotes, $0
  239. Authentication Bypass in Yahoo Groups to Yahoo! - 1 upvotes, $0
  240. Authentication Bypass due to Session Mismanagement to Yahoo! - 1 upvotes, $0
  241. [api.allodsteam.com] Authentication Data to Mail.ru - 1 upvotes, $0
  242. Authentication Data are not Clearing to Udemy - 1 upvotes, $0
  243. No authentication required to add an email address. to Phabricator - 1 upvotes, $0
  244. Email Authentication bypass Vulnerability to Paragon Initiative Enterprises - 1 upvotes, $0
  245. Authentication Issue for easter egg on bonjour.uber.com to Uber - 1 upvotes, $0
  246. The application uses basic authentication. to Nextcloud - 1 upvotes, $0
  247. Broken Authentication and Session Management(Session Fixation) to Boozt Fashion AB - 1 upvotes, $0
  248. clickjacking to Semrush auth login to Semrush - 1 upvotes, $0
  249. Bypass Local Authentication (TouchID) to Dropbox - 1 upvotes, $0
  250. Improper authentication in the load sell inventory page to CS Money - 1 upvotes, $0
  251. [JAVA]: CWE-347 - Improper Verification of Cryptographic Signature : Potential for Auth Bypass to GitHub Security Lab - 1 upvotes, $0
  252. Broken Authentication and Session Management lead to take over account to Phabricator - 1 upvotes, $0
  253. Certificate authentication re-use on redirect to curl - 1 upvotes, $0
  254. The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more su to LinkedIn - 1 upvotes, $0
  255. Sensitive settings need Re authentication to WePay - 0 upvotes, $0
  256. Broken Authentication – Session Token bug to WePay - 0 upvotes, $0
  257. Broken Authentication and session management OWASP A2 to New Relic - 0 upvotes, $0