IRCCloud - HackerOne Bug Reports

Public IRCCloud bug reports.

4,419 Bug Reports - $2,030,173 Paid Out
Last Updated: 12th September, 2017

Team	Bounty	Title
IRCCloud	$50	Exposed, outdated nginx server (v1.4.6) potentially vulnerable to heap-based buffer overflow & RCE
IRCCloud	$500	Cross Site Scripting(XSS) on IRCCloud Badges Page (using Parameter Pollution)
IRCCloud	$500	Inadequate input validation on API endpoint leading to self denial of service and increased system load.
IRCCloud	-	Email verification links still valid after changing it 2x
IRCCloud	$300	Unvalidated Channel names causes IRC Command Injection
IRCCloud	-	Weak password policy
IRCCloud	-	Bruteforce protection not enabled on the login page https://www.irccloud.com/
IRCCloud	$500	Reflected XSS in Pastebin-view
IRCCloud	-	Missing Character Restriction
IRCCloud	-	Password type input with auto-complete enabled
IRCCloud	$100	Host Header Injection - irccloud.com
IRCCloud	$100	Login CSRF can be bypassed (Similar approach to previous one).
IRCCloud	-	Log Out Cross site Request Forgery
IRCCloud	$1,000	Dangerous Persistent xss
IRCCloud	-	Unwanted Spamming Using CSRF [LOGGED IN USER]
IRCCloud	$100	Host Header is not validated resulting in Open Redirect
IRCCloud	-	CSRF - Creating accounts
IRCCloud	-	Login page password-guessing attack(Brute-force attack-High).
IRCCloud	$500	Persistent Cross Site Scripting within the IRCCloud Pastebin
IRCCloud	-	CSRF to Account Take Over Bug
IRCCloud	-	DNS Misconfiguration
IRCCloud	-	User Account Creation CSRF
IRCCloud	$100	iOS application does not destroy session upon logout.
IRCCloud	$100	Bug in iOS application which could lead to unauthorised access.
IRCCloud	-	"SESSION" Cookie without HttpOnly flag set
IRCCloud	$100	Missing X-Content-Type-Options
IRCCloud	-	Session cookie can be leaked over an unencrypted HTTP connection
IRCCloud	$500	Full account takeover using CSRF and password reset
IRCCloud	$500	Session Token is not Verified while changing Account Setting's which Result In account Takeover
IRCCloud	-	HTML Form without CSRF protection
IRCCloud	$100	Leaking Referrer in Reset Password Link
IRCCloud	$100	Bruteforcing irccloud login
IRCCloud	$100	Unsecure cookies, cookie flag secure not set
IRCCloud	$100	Sign up CSRF
IRCCloud	$100	Login CSRF