Top Mobile reports from HackerOne:
- CVE-2019-5765: 1-click HackerOne account takeover on all Android devices to Chrome - 374 upvotes, $0
- Multiple bugs leads to RCE on TikTok for Android to TikTok - 362 upvotes, $0
- AWS bucket leading to iOS test build code and configuration exposure to Slack - 316 upvotes, $1500
- [Razer Pay Mobile App] Broken access control allowing other user's bank account to be deleted to Razer - 311 upvotes, $1000
- Golden techniques to bypass host validations in Android apps to ██████ - 275 upvotes, $0
- Periscope android app deeplink leads to CSRF in follow action to X (Formerly Twitter) - 208 upvotes, $0
- read new emails from any inbox IOS APP in notification center to Mail.ru - 186 upvotes, $10000
- url that twitter mobile site can not load to X (Formerly Twitter) - 139 upvotes, $1120
- XSS via message subject - mobile application to Mail.ru - 139 upvotes, $1000
- Changing email address on Twitter for Android unsets "Protect your Tweets" to X (Formerly Twitter) - 116 upvotes, $2940
- Possible to steal any protected files on Android to ownCloud - 112 upvotes, $750
- Disclosure of all uploads to Cloudinary via hardcoded api secret in Android app to Reverb.com - 85 upvotes, $0
- [Razer Pay Android App] Multiple vulnerabilities chained to allow "RedPacket" money to be stolen by a 3rd party to Razer - 84 upvotes, $1000
- MetaMask Browser URL and Transaction Origin Spoofing - Metamask wallet Android & Metamask wallet iOS to MetaMask - 84 upvotes, $0
- Grammarly Keyboard for Android <4.1 leaks user input through logs (except for sensitive input fields) to Grammarly - 82 upvotes, $0
- Reflect XSS on Mobile Search page to Pornhub - 79 upvotes, $250
- Sensitive Info Leak - An Attacker Can Retrieve All the Users Mobile Numbers at https://website-api.production.curve.app/api/waitlist/us to Curve - 78 upvotes, $0
- Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile) to Shopify - 77 upvotes, $500
- Grammarly Keyboard for Android "Authorization Code with PKCE" flow implementation vulnerability that allows account takeover to Grammarly - 72 upvotes, $0
- Persistant Arbitrary code execution in mattermost android to Mattermost - 63 upvotes, $0
- Insufficient session expiration in the com.shopify.ping android app to Shopify - 60 upvotes, $0
- Java: CWE-749 Unsafe resource loading in Android WebView leaking to injection attacks to GitHub Security Lab - 59 upvotes, $2300
- Authorization bypass using login by phone option+horizontal escalation possible on Grab Android App to Grab - 58 upvotes, $1000
- Android: Explanation of Access to app protected components vulnerability to ██████ - 57 upvotes, $0
- Path Traversal в iOS приложении to VK.com - 55 upvotes, $0
- Default Nextcloud Server and Android Client leak sharee searches to Nextcloud to Nextcloud - 54 upvotes, $750
- Possibility to attach any mobile number to any email to Mail.ru - 54 upvotes, $0
- Periscope iOS app CSRF in follow action due to deeplink to X (Formerly Twitter) - 53 upvotes, $2940
- Stealing Private Information in VK Android App through PlayerProxy Port Remotely to VK.com - 50 upvotes, $700
- Firebase Database Takeover in Zego Sense Android app to Zego - 49 upvotes, $0
- Уязвимость в приложении для Android to VK.com - 48 upvotes, $0
- Able to Login deactivated staff account in shopify app mobile to Shopify - 47 upvotes, $0
- Insecure Storage and Overly Permissive API Keys in Android App to Zenly - 45 upvotes, $0
- bypass two-factor authentication in Android apps and web to TikTok - 39 upvotes, $0
- iOS group chat denial of service to LY Corporation - 38 upvotes, $300
- Two-factor authentication bypass on Grab Android App to Grab - 38 upvotes, $0
- Twitter iOS fails to validate server certificate and sends oauth token to X (Formerly Twitter) - 36 upvotes, $2100
- Arbitrary file write triggered by deeplink abuse - MetaMask Android to MetaMask - 36 upvotes, $0
- Path traversal allows tricking the Talk Android app into writing files into it's root directory to Nextcloud - 36 upvotes, $0
- Android - Access of some not exported content providers to Dropbox - 34 upvotes, $1000
- Webview in LINE client for iOS will render application/octet-stream files as HTML to LY Corporation - 34 upvotes, $500
- Starbucks China Android app cloud storage service leaks a credential. to Starbucks - 33 upvotes, $0
- Webview address bar spoofing in LINE client for iOS to LY Corporation - 33 upvotes, $0
- Path traversal in ZIP extract routine on LINE Android to LY Corporation - 32 upvotes, $475
- Private Grab Messages on Android App can be accessed and cached by Search Engines to Grab - 32 upvotes, $200
- Possible to steal any protected files on Android to Harvest - 32 upvotes, $0
- Получение БД кэша из Android-приложения через стороннее приложение to VK.com - 32 upvotes, $0
- Android WebViews in Twitter app are vulnerable to UXSS due to configuration and CVE-2020-6506 to X (Formerly Twitter) - 30 upvotes, $560
- SQL Injection found in NextCloud Android App Content Provider to Nextcloud - 30 upvotes, $150
- Weak user aunthentication on mobile application - I just broken userKey secret password to Pornhub - 29 upvotes, $5000
- [█████████] Hardcoded credentials in Android App to Zomato - 27 upvotes, $500
- IP address can be leaked on Image preview in ICQ for Android chat to Mail.ru - 27 upvotes, $150
- Access of Android protected components via embedded intent to Slack - 27 upvotes, $0
- Exposed█████████in apk file - devbuilds.uber.com to Uber - 27 upvotes, $0
- No validation to Image upload user can upload ( php APK zip files and can be used as storage purpose) to Linktree - 27 upvotes, $0
- Mail.Ru Email for Android: Injecting custom screen inside adding new account flow to Mail.ru - 26 upvotes, $750
- Facebook App API credentials leaked in the APK to GlassWire - 26 upvotes, $0
- App PIN code can be bypassed in Files iOS to Nextcloud - 26 upvotes, $0
- Blind Stored XSS on iOS App due to Unsanitized Webview to Nextcloud - 25 upvotes, $100
- Passcode bypass on Talk Android app to Nextcloud - 25 upvotes, $0
- Leak arbitrary file under nextcloud android client privacy directory to Nextcloud - 24 upvotes, $0
- Possibility to enumerate and bruteforce promotion codes in Uber iOS App to Uber - 23 upvotes, $3000
- ICQ Android APP remote DoS to Mail.ru - 23 upvotes, $1000
- Twitter for android is exposing user's location to any installed android app to X (Formerly Twitter) - 23 upvotes, $560
- Vine - overwrite account associated with email via android application to X (Formerly Twitter) - 23 upvotes, $280
- 2 click Remote Code execution in Evernote Android to Evernote - 23 upvotes, $0
- Identify the mobile number of a twitter user to X (Formerly Twitter) - 22 upvotes, $560
- DoS of LINE client for Android via message containing multiple unicode characters (0x0e & 0x0f) to LY Corporation - 22 upvotes, $0
- Completely remove VPN profile from locked WARP iOS cient. to Cloudflare Public Bug Bounty - 20 upvotes, $1000
- Insecure HostnameVerifier within WebView of Razer Pay Android (TLS Vulnerability) to Razer - 20 upvotes, $750
- [Quora Android] Possible to steal arbitrary files from mobile device to Quora - 19 upvotes, $0
- Can use the Reddit android app as usual even though revoking the access of it from reddit.com to Reddit - 18 upvotes, $0
- Full Passcode bypass on Nextcloud App iOS to Nextcloud - 17 upvotes, $0
- (Pornhub & Youporn & Brazzers ANDROID APP) : Upload Malicious APK / Overrite Existing APK / Android BackOffice Access to Pornhub - 16 upvotes, $1500
- Protected Tweets setting overridden by Android app to X (Formerly Twitter) - 16 upvotes, $560
- Improper markup sanitisation in Simplenote Android application. to Automattic - 16 upvotes, $0
- Hardcoded credentials in Android App to 8x8 - 16 upvotes, $0
- Mail.ru for Android - Theft of sensitive data to Mail.ru - 16 upvotes, $0
- [Java] CWE-755: Query to detect Local Android DoS caused by NFE to GitHub Security Lab - 15 upvotes, $1800
- Mobile Reflect XSS / CSRF at Advertisement Section on Search page to Pornhub - 15 upvotes, $200
- Multiple critical vulnerabilities in Odnoklassniki Android application to ok.ru - 15 upvotes, $0
- Mobile Authentication Endpoint Credentials Brute-Force Vulnerability to New Relic - 15 upvotes, $0
- Android - Possible to intercept broadcasts about uploaded files to Nextcloud - 15 upvotes, $0
- Find whether a video has been favourited or not, for any user [via YouPorn Mobile API] to Pornhub - 15 upvotes, $0
- User Profiles Leak PII in HTML Document for Mobile Browser User Agents to Zomato - 15 upvotes, $0
- Talk Android broadcast receiver is not protected by broadcastPermission allowing malicious apps to communicate to Nextcloud - 15 upvotes, $0
- App pin of the Android app can be bypassed via 3rdparty apps generating deep links to Nextcloud - 15 upvotes, $0
- iOS app crashed by specially crafted direct message reactions to X (Formerly Twitter) - 14 upvotes, $560
- URL Scheme misconfiguration on TikTok for IOS to TikTok - 14 upvotes, $500
- Local SQL Injection in Content Provider (ru.mail.data.contact.ContactsProvider) of Mail.ru for Android, version 12.2.0.29734 to Mail.ru - 14 upvotes, $0
- End to end encryption public key is not properly verified on Desktop and Android to Nextcloud - 13 upvotes, $1500
- Android app does not clear end to end encryption keys to Nextcloud - 13 upvotes, $100
- [ios] Address bar spoofing in Brave for iOS to Brave Software - 13 upvotes, $0
- [Razer Pay Mobile App] IDOR within /v1_IM/friends/queryDrawRedLog allowed unauthorised access to read logs to Razer - 12 upvotes, $500
- Android MailRu Email: Thirdparty can access private data files with small user interaction to Mail.ru - 12 upvotes, $300
- Login with Google Not Authenticated on iOS App to Instacart - 12 upvotes, $0
- Upgrade menu exposes the mobile application token meant to only be visible to administrators to New Relic - 11 upvotes, $750
- Email leak in transcations in Android app to Coinbase - 11 upvotes, $500
- Access to arbitrary file of the Nextcloud Android app from within the Nextcloud Android app to Nextcloud - 11 upvotes, $250
- Can register any mobile number in MFA without current code. to Grammarly - 11 upvotes, $0
- Insufficient limitation of web page title leads to DoS against ICQ for Android to Mail.ru - 11 upvotes, $0
- Bypass Cloudflare WARP lock on iOS. to Cloudflare Public Bug Bounty - 10 upvotes, $500
- Theft of protected files on Android to ownCloud - 10 upvotes, $50
- Coinbase Android Application - Bitcoin Wallet Leaks OAuth Response Code to Coinbase - 10 upvotes, $0
- Sensitive information contained with New Relic APM iOS application to New Relic - 10 upvotes, $0
- Insecure Storage and Overly Permissive Google Maps API Key in Android App to Mail.ru - 10 upvotes, $0
- Hard-coded API keys at NordVpn Android App to Nord Security - 10 upvotes, $0
- NordVPN Android Application privacy violation due to Google Advertising Identifier misuse to Nord Security - 10 upvotes, $0
- Theft of arbitrary files in LINE Lite client for Android to LY Corporation - 10 upvotes, $0
- [Java] CWE-312: Query to detect cleartext storage of sensitive information using Android SharedPreferences to GitHub Security Lab - 9 upvotes, $4500
- Mapbox Android SDK uses Broadcast Receiver instead of Local Broadcast Manager to Mapbox - 9 upvotes, $1000
- Phishing/Malware site blocking on Brave iOS can be bypassed with trailing dot in hostname to Brave Software - 9 upvotes, $250
- Brute force login and bypass locked account restrictions via iOS app to Instacart - 9 upvotes, $0
- DoS in Brave browser for iOS to Brave Software - 8 upvotes, $80
- Coinbase Android Security Vulnerabilities to Coinbase - 8 upvotes, $0
- XSS when replying / forwarding to a malicious email on iOS to Mail.ru - 8 upvotes, $0
- Physical Access to Mobile App Allows Local Attribute Updates without Authentication to Uber - 8 upvotes, $0
- доступ к com.vk.usersstore.UsersContentProvider, возможна утечка exchange_token на android < 21 to VK.com - 8 upvotes, $0
- Stored XSS at Mobile (Versions tab) to New Relic - 8 upvotes, $0
- Java: Detect remote source from Android intent extra to GitHub Security Lab - 7 upvotes, $1800
- Brave Shield for iOS is weak against IDN homograph attacks to Brave Software - 7 upvotes, $150
- Android content provider exposes password-protected share password hashes to Nextcloud - 7 upvotes, $75
- Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content to Shopify - 7 upvotes, $0
- HTML Injection on flickr screename using IOS App to Yahoo! - 7 upvotes, $0
- XSS on IOS app via HTML rendering to Nextcloud - 7 upvotes, $0
- Reflected XSS in Zomato Mobile - category parameter to Zomato - 6 upvotes, $0
- [iOS] URL can be replaceState by blob URL in iOS Brave to Brave Software - 6 upvotes, $0
- XSS on mobile version of vimeo.com where the button "Follow" appears to Vimeo - 6 upvotes, $0
- Passcode Protection in Android Devices Can be Bypassed. to Nextcloud - 6 upvotes, $0
- Malicious apps can crash Nextcloud Android client by sending malformed intents to Nextcloud - 6 upvotes, $0
- CSRF - Add optional two factor mobile number to Slack - 5 upvotes, $500
- Mail.ru for Android Content Provider Vulnerability to Mail.ru - 5 upvotes, $250
- Insecure Data Storage in Vine Android App to X (Formerly Twitter) - 5 upvotes, $140
- ByPassing the email Validation Email on Sign up process in mobile apps to Coinbase - 5 upvotes, $100
- Bug in iOS application which could lead to unauthorised access. to IRCCloud - 5 upvotes, $0
- No Security check at changing password and at adding mobile number which leads to account takeover and spam to Khan Academy - 5 upvotes, $0
- Android SDK - CREATE_REQUEST broascast is unprotected to Zendesk - 5 upvotes, $0
- /accounts/USERID.json file is left open for Restricted User of organization disclosing Owners's Mobile Number and "billing_info, cc_email" to New Relic - 5 upvotes, $0
- Widespread failure of certificate validation in Android apps to Internet Bug Bounty - 5 upvotes, $0
- SSRF on local storage of iOS mobile to Nextcloud - 5 upvotes, $0
- Default Nextcloud server config and iOS Nextcloud client leak sharee searches to Nextcloud to Nextcloud - 5 upvotes, $0
- Bypass of #447975 - view mobile application token though "Application Information" sidebar on Installation page to New Relic - 4 upvotes, $500
- In Fantasy Sports iOS app, signup page is requested over HTTP to Yahoo! - 4 upvotes, $0
- HTML/XSS rendered in Android App of Crashlytics through fabric.io to X (Formerly Twitter) - 4 upvotes, $0
- No authorization required in iOS device web-application to Coinbase - 4 upvotes, $0
- Uber is Flooding my Mobile with SMS Daily like a cron JOB to Uber - 4 upvotes, $0
- API OAuth Public Key disclosure in mobile app to Instacart - 4 upvotes, $0
- [Java] CWE-200: Query to detect exposure of sensitive information from android file intent to GitHub Security Lab - 3 upvotes, $1800
- Bypass pin(4 digit passcode on your android app) to Whisper - 3 upvotes, $100
- iOS application does not destroy session upon logout. to IRCCloud - 3 upvotes, $0
- secret app for iOS and android is sending some info over HTTP to Secret - 3 upvotes, $0
- User's DM won't deleted after logout from Twitter for iOS (com.atebits.xxx.application-state) to X (Formerly Twitter) - 3 upvotes, $0
- Lack of SSL Pinning on POS Application ( iOS ) to Shopify - 3 upvotes, $0
- [iOS] URI Obfuscation in iOS application to Brave Software - 3 upvotes, $0
- Retrieval and alteration of exposed media on Android Oreo to Nextcloud - 3 upvotes, $0
- **minor issue ** -Nextcloud 10.0 session issue with desktop client and android client to Nextcloud - 3 upvotes, $0
- Misconfiguration of Merchant id in jwt header + Weird Debug mode enabling behavior leads to exposed OTP of mobile number. to Kartpay - 3 upvotes, $0
- Android App Crashes while sending message to users/ on channel to Rocket.Chat - 3 upvotes, $0
- Authentication Failed Mobile version to Shopify - 2 upvotes, $500
- Unproper usage of Mobile Number that will lead to Information Disclosure to Mail.ru - 2 upvotes, $0
- Content Spoofing vulnerability in Mail.ru mobile to Mail.ru - 2 upvotes, $0
- Code for registration of qiwi account is not coming even after a long interval of time for Indian mobile number to QIWI - 2 upvotes, $0
- iOS App can establish Facetime calls without user's permission to X (Formerly Twitter) - 2 upvotes, $0
- Expire User Sessions in Admin Site does not expire user session in Shopify Application in IOS to Shopify - 2 upvotes, $0
- XSS in imgur mobile to Imgur - 2 upvotes, $0
- XSS in imgur mobile 3 to Imgur - 2 upvotes, $0
- Android app does not use SSL for login to Boozt Fashion AB - 2 upvotes, $0
- BROKEN AUTHENTICATION IN MOBILE VERIFICATION to X (Formerly Twitter) - 1 upvotes, $0
- twitter android app Fragment Injection to X (Formerly Twitter) - 1 upvotes, $0
- Multiple Stored XSS on Sanbox.veris.in through Veris Frontdesk Android App to Veris - 1 upvotes, $0
- Privilege escalation to allow non activated users to login and use uber partner ios app to Uber - 1 upvotes, $0
- Runtime manipulation iOS app breaking the PIN to Coinbase - 1 upvotes, $0
- Dependency confusion in https://github.com/hyperledger/aries-mobile-agent-react-native to Hyperledger - 1 upvotes, $0
- Information disclosue in Android Application to Coinbase - 0 upvotes, $0
- Information disclosure in coinbase android app to Coinbase - 0 upvotes, $0