Skip to content

Latest commit

 

History

History
82 lines (81 loc) · 9.3 KB

TOPCOINBASE.md

File metadata and controls

82 lines (81 loc) · 9.3 KB
Raw

Top reports from Coinbase program at HackerOne:

  1. Double Payout via PayPal to Coinbase - 267 upvotes, $10000
  2. Ethereum account balance manipulation to Coinbase - 251 upvotes, $10000
  3. ETH contract handling errors to Coinbase - 200 upvotes, $21000
  4. HTML injection in apps user review to Coinbase - 26 upvotes, $200
  5. [buy.coinbase.com]Content Injection to Coinbase - 23 upvotes, $100
  6. Authentication Issue to Coinbase - 22 upvotes, $200
  7. Prepopulation of email address and name leaks information provided to other merchants to Coinbase - 15 upvotes, $250
  8. Stored CSS Injection to Coinbase - 15 upvotes, $100
  9. XSSI (Cross Site Script Inclusion) to Coinbase - 13 upvotes, $200
  10. Captcha Bypass in Coinbase SignUp Form to Coinbase - 13 upvotes, $100
  11. Requestor Email Disclosure via Email Notification to Coinbase - 13 upvotes, $0
  12. Application error message to Coinbase - 12 upvotes, $100
  13. Email leak in transcations in Android app to Coinbase - 11 upvotes, $500
  14. Bypassing 2FA for BTC transfers to Coinbase - 10 upvotes, $1000
  15. Blacklist bypass on Callback URLs to Coinbase - 10 upvotes, $100
  16. Coinbase Android Application - Bitcoin Wallet Leaks OAuth Response Code to Coinbase - 9 upvotes, $1000
  17. Session Issue Maybe Can lead to huge loss [CRITICAL] to Coinbase - 9 upvotes, $1000
  18. Stored-XSS in https://www.coinbase.com/ to Coinbase - 8 upvotes, $5000
  19. OAuth authorization page vulnerable to clickjacking to Coinbase - 8 upvotes, $5000
  20. Information disclosure same issue #176002 to Coinbase - 8 upvotes, $100
  21. Information disclosure of user by email using buy widget to Coinbase - 6 upvotes, $100
  22. Information leakage on https://docs.gdax.com to Coinbase - 6 upvotes, $100
  23. Content Injection error page to Coinbase - 6 upvotes, $0
  24. Coinbase Android Security Vulnerabilities to Coinbase - 5 upvotes, $100
  25. Create Multiple Account Using Similar X-CSRF token to Coinbase - 5 upvotes, $0
  26. coinbase Email leak while sending and requesting to Coinbase - 5 upvotes, $0
  27. window.opener is leaking to external domains upon redirect on Safari to Coinbase - 4 upvotes, $300
  28. User email enumuration using Gmail to Coinbase - 4 upvotes, $100
  29. Race condition allowing user to review app multiple times to Coinbase - 4 upvotes, $100
  30. No authorization required in iOS device web-application to Coinbase - 4 upvotes, $0
  31. The 'Create a New Account' action is vulnerable to CSRF to Coinbase - 4 upvotes, $0
  32. Leaking CSRF token over HTTP resulting in CSRF protection bypass to Coinbase - 3 upvotes, $1000
  33. Transactions visible on Unconfirmed devices to Coinbase - 3 upvotes, $500
  34. New Device confirmation tokens are not properly validated. to Coinbase - 3 upvotes, $100
  35. ByPassing the email Validation Email on Sign up process in mobile apps to Coinbase - 3 upvotes, $100
  36. No authorization required in Windows phone web-application to Coinbase - 3 upvotes, $0
  37. Open redirect on sign in to Coinbase - 3 upvotes, $0
  38. Multiple Issues related to registering applications to Coinbase - 2 upvotes, $1000
  39. CSRF on "Set as primary" option on the accounts page to Coinbase - 2 upvotes, $100
  40. User's legal name could be changed despite front end controls being disabled to Coinbase - 2 upvotes, $100
  41. Window.opener bug at www.coinbase.com to Coinbase - 2 upvotes, $100
  42. Information Disclosure That shows the webroot of CoinBase Server to Coinbase - 2 upvotes, $0
  43. 2FA settings allowed to be changed with no delay/freeze on funds to Coinbase - 2 upvotes, $0
  44. XXE in OAuth2 Applications gallery profile App logo to Coinbase - 2 upvotes, $0
  45. An adversary can overwhelm the resources by automating Forgot password/Sign Up requests to Coinbase - 2 upvotes, $0
  46. Invoice Details activate JS that filled in to Coinbase - 1 upvotes, $1000
  47. Sandboxed iframes don't show confirmation screen to Coinbase - 1 upvotes, $1000
  48. Sending payments via QR code does not require confirmation to Coinbase - 1 upvotes, $1000
  49. Misconfiguration in 2 factor allows sensitive data expose to Coinbase - 1 upvotes, $500
  50. Direct URL access to completed reports to Coinbase - 1 upvotes, $200
  51. Credit Card Validation Issue to Coinbase - 1 upvotes, $100
  52. New Device Confirmation, token is valid until not used. to Coinbase - 1 upvotes, $100
  53. OAUTH pemission set as true= lead to authorize malicious application to Coinbase - 1 upvotes, $100
  54. User Enumeration, Information Disclosure and Lack of Rate Limitation on API to Coinbase - 1 upvotes, $0
  55. Improper Validation of the Referrer header leading to Open URL Redirection to Coinbase - 1 upvotes, $0
  56. IFRAME loaded from External Domains to Coinbase - 1 upvotes, $0
  57. Simultaneous Session Logon : Improper Session Management to Coinbase - 1 upvotes, $0
  58. Two-factor authentication (via SMS) to Coinbase - 1 upvotes, $0
  59. Balance Manipulation - BUG to Coinbase - 1 upvotes, $0
  60. Cookie not secure to Coinbase - 1 upvotes, $0
  61. Transaction Pending Via Ip Change to Coinbase - 1 upvotes, $0
  62. X-Frame-Options to Coinbase - 1 upvotes, $0
  63. Csrf bug on signup session to Coinbase - 1 upvotes, $0
  64. New Device Confirmation Bug to Coinbase - 1 upvotes, $0
  65. User provided values passed to PHP unset() function to Coinbase - 1 upvotes, $0
  66. Big Bug with Vault which i have already reported: Case #606962 to Coinbase - 0 upvotes, $5000
  67. 2 factor authentication design flaw to Coinbase - 0 upvotes, $100
  68. CSRF in function "Set as primary" on accounts page to Coinbase - 0 upvotes, $100
  69. open authentication bug to Coinbase - 0 upvotes, $100
  70. SPF records not found to Coinbase - 0 upvotes, $100
  71. Cookie missing the HttpOnly flag to Coinbase - 0 upvotes, $0
  72. iframes considered harmful to Coinbase - 0 upvotes, $0
  73. Potential for Double Spend via Sign Message Utility to Coinbase - 0 upvotes, $0
  74. Runtime manipulation iOS app breaking the PIN to Coinbase - 0 upvotes, $0
  75. Device confirmation Flaw to Coinbase - 0 upvotes, $0
  76. CSRF bug on password change to Coinbase - 0 upvotes, $0
  77. Information disclosue in Android Application to Coinbase - 0 upvotes, $0
  78. Information disclosure in coinbase android app to Coinbase - 0 upvotes, $0
  79. Inaccurate Payment receipt to Coinbase - 0 upvotes, $0
  80. User provided values trusted in sensitive actions to Coinbase - 0 upvotes, $0