| Twitter |
$10,080 |
XXE on sms-be-vip.twitter.com in SXMP Processor |
| Twitter |
$420 |
Open Redirect |
| Twitter |
$560 |
HTTP 401 response injection on "amp.twimg.com/amplify-web-player/prod/source.html" through "image_src" parameter |
| Twitter |
$280 |
[██████████.gnip.com] .htpasswd disclosure |
| Twitter |
$560 |
[Gnip Blogs] Reflected XSS via "plupload.flash.swf" component vulnerable to SOME |
| Twitter |
$2,520 |
CSRF on Periscope Web OAuth authorization endpoint |
| Twitter |
$7,560 |
[URGENT] Opportunity to publish tweets on any twitters account |
| Twitter |
$7,560 |
Vine all registered user Private/sensitive information disclosure .[ Ip address/phone no/email and many other informations ] |
| Twitter |
$5,040 |
Attacker can get vine repost user all informations even Ip address and location . |
| Twitter |
$560 |
Clickjacking Periscope.tv on Chrome |
| Twitter |
- |
Remote Unrestricted file Creation/Deletion and Possible RCE. |
| Twitter |
$1,680 |
CRLF and XSS stored on ton.twitter.com |
| Twitter |
$140 |
Sub Domain Takeover at mk.prd.vine.co |
| Twitter |
- |
GNIP subdomain take over |
| Twitter |
$280 |
Vine - overwrite account associated with email via android application |
| Twitter |
$560 |
Twitter for android is exposing user's location to any installed android app |
| Twitter |
$1,120 |
[IDOR][translate.twitter.com] Opportunity to change any comment at the forum |
| Twitter |
$280 |
SSRF in https://cards-dev.twitter.com/validator |
| Twitter |
$2,520 |
Cross-site scripting (reflected) |
| Twitter |
$140 |
Full Path Disclosure at 27.prd.vine.co |
| Twitter |
$1,260 |
View liked twits of private account via publish.twitter.com |
| Twitter |
$560 |
Circumventing the Twitter account lockout process [ACCOUNT TAKEOVER] |
| Twitter |
$2,100 |
Twitter iOS fails to validate server certificate and sends oauth token |
| Twitter |
$560 |
leaking Digits OAuth authorization to third party websites |
| Twitter |
$5,040 |
[Studio.twitter.com] See someone else pics |
| Twitter |
$560 |
reverb.twitter.com redirects to vulnerable reverb.guru |
| Twitter |
$1,120 |
Stealing User emails by clickjacking cards.twitter.com/xxx/xxx |
| Twitter |
$1,120 |
csp bypass + xss |
| Twitter |
$420 |
Html Injection and Possible XSS in sms-be-vip.twitter.com |
| Twitter |
$560 |
Information Disclosure through .DS_Store in ██████████ |
| Twitter |
- |
List of a ton of internal twitter servers available on GitHub |
| Twitter |
$840 |
[Critical] - Steal OAuth Tokens |
| Twitter |
$700 |
xss in DM group name in twitter |
| Twitter |
$700 |
niche s3 buckets are readable/writeable/deleteable by authorized AWS users |
| Twitter |
$280 |
XSS using javascript:alert(8007) |
| Twitter |
$1,120 |
DOMXSS in Tweetdeck |
| Twitter |
$280 |
Sub-Domain Takeover |
| Twitter |
$2,520 |
Tweet Deck XSS- Persistent- Group DM name |
| Twitter |
$2,520 |
Bypassing Digits web authentication's host validation with HPP |
| Twitter |
$5,040 |
Bypassing Digits bridge origin validation |
| Twitter |
$2,520 |
Bypassing callback_url validation on Digits |
| Twitter |
$140 |
Subdomain Expired |
| Twitter |
$560 |
xss in link items (mopub.com) |
| Twitter |
$560 |
URGENT : NICHE.co Account Take Over Vulnerability |
| Twitter |
$560 |
Add tweet to collection CSRF |
| Twitter |
$280 |
Urgent : Disclosure of all the apps with hash ID in mopub through API request (Authentication bypass) |
| Twitter |
$1,120 |
File Upload XSS in image uploading of App in mopub |
| Twitter |
$280 |
Following a User After Favoriting Actually Follows Another User (related to #95243) |
| Twitter |
$1,120 |
Can see private tweets via keyword searches on tweetdeck |
| Twitter |
$280 |
CSRF on cards API |
| Twitter |
$5,040 |
IDOR- Activate Mopub on different organizations- steal api token- Fabric.io |
| Twitter |
$280 |
Following a User Actually Follows Another User |
| Twitter |
$280 |
XSS in the "Poll" Feature on Twitter.com |
| Twitter |
$280 |
Tweetdeck (twitter owned app) not revoked |
| Twitter |
$2,520 |
Multiple DOMXSS on Amplify Web Player |
| Twitter |
$2,520 |
XSS on OAuth authorize/authenticate endpoint |
| Twitter |
$280 |
DOM based cookie bomb |
| Twitter |
- |
Privecy Issue : view "Protected users" followers and following |
| Twitter |
$280 |
Fabric.io: Ex-admin of an organization can delete team members |
| Twitter |
- |
Privacy Issue on protected tweets |
| Twitter |
$420 |
Insecure Direct Object Reference - access to other user/group DM's |
| Twitter |
$2,800 |
HTTP Response Splitting (CRLF injection) due to headers overflow |
| Twitter |
$1,400 |
XSS in twitter.com/safety/unsafe_link_warning |
| Twitter |
$420 |
Insecure direct object reference - have access to deleted DM's |
| Twitter |
$3,500 |
HTTP Response Splitting (CRLF injection) in report_story |
| Twitter |
$560 |
open redirect sends authenticity_token to any website or (ip address) |
| Twitter |
$1,400 |
XSS in original referrer after follow |
| Twitter |
$560 |
Twitter Ads Campaign information disclosure through admin without any authentication. |
| Twitter |
$1,400 |
Open Redirect leak of authenticity_token lead to full account take over. |
| Twitter |
- |
Cross site Port Scanning bug in twitter developers console |
| Twitter |
$1,400 |
Redirect URL in /intent/ functionality is not properly escaped |
| Twitter |
$140 |
Reporting user's profile by using another people's ID |
| Twitter |
$560 |
Twitter Card - Parent Window Redirection |
| Twitter |
$1,260 |
Problem with OAuth |
| Twitter |
$140 |
Insecure Data Storage in Vine Android App |
| Twitter |
- |
URGENT - SUBDOMAIN TAKEOVER ON TWITTER ACQ. |
| Twitter |
$140 |
Flaw in login with twitter to steal Oauth tokens |
| Twitter |
- |
Path disclosure in platform0.twitter.com |
| Twitter |
$420 |
twitter android app Fragment Injection |
| Twitter |
$1,120 |
Fabric.io - an app admin can delete team members from other user apps |
| Twitter |
$1,400 |
fabric.io - app member can make himself an admin |
| Twitter |
- |
Account Deleted without any confirmation |
| Twitter |
- |
No rate limiting on creating lists |
| Twitter |
$420 |
URGENT - Subdomain Takeover on users.tweetdeck.com , the same issue of report #32825 |
| Twitter |
$1,400 |
HTML/XSS rendered in Android App of Crashlytics through fabric.io |
| Twitter |
$140 |
POODLE Bug: 199.16.156.44, 199.16.156.108, mx4.twitter.com |
| Twitter |
$280 |
Open redirection in fabric.io |
| Twitter |
- |
Abuse of "Remember Me" functionality. |
| Twitter |
- |
Homograph attack. |
| Twitter |
$1,400 |
[Stored XSS] vine.co - profile page |
| Twitter |
- |
Notifications can mark as read by CSRF |
| Twitter |
- |
Headers Missing |
| Twitter |
$140 |
getting emails of users/removing them from victims account [using typical attack] |
| Twitter |
$280 |
XSS via Fabrico Account Name |
| Twitter |
$420 |
Bad extended ascii handling in HTTP 301 redirects of t.co |
| Twitter |
- |
Options Method Enabled |
| Twitter |
- |
Option Method Enabled on web server |
| Twitter |
- |
BROKEN AUTHENTICATION IN MOBILE VERIFICATION |
| Twitter |
- |
Flaw in valid password policy. |
| Twitter |
$1,400 |
DOM Cross-Site Scripting ( XSS ) |
| Twitter |
$1,680 |
URGENT - Subdomain Takeover on media.vine.co due to unclaimed domain pointing to AWS |
| Twitter |
$280 |
XSS in fabric.io |
| Twitter |
$140 |
Singup Page HTML Injection Vulnerability |
| Twitter |
- |
Creating Unauthorized Audience Lists |
| Twitter |
$420 |
Unauthorized Tweeting on behalf of Account Owners |
| Twitter |
$560 |
Improper Verification of email address while saving Account Settings |
| Twitter |
$280 |
Profile Pic padding (Length-hiding) fails due to use of GZIP |
| Twitter |
$1,120 |
XSS platform.twitter.com | video-js metadata |
| Twitter |
$1,120 |
XSS platform.twitter.com |
| Twitter |
- |
Twitter Flight SSL 2.0 deprecated protocol vulnerability. |
| Twitter |
$420 |
iOS App can establish Facetime calls without user's permission |
| Twitter |
$1,400 |
Cross site scripting on ads.twitter.com |
| Twitter |
$1,400 |
Stored xss |
| Twitter |
$1,400 |
ads.twitter.com xss |
| Twitter |
$2,800 |
Delete Credit Cards from any Twitter Account in ads.twitter.com [New Vulnerability] |
| Twitter |
$140 |
Missing Rate Limiting on https://twitter.com/account/complete |
| Twitter |
$140 |
Full path disclosure at ads.twitter.com |
| Twitter |
- |
HTML form without CSRF protection at http://try.crashlytics.com/enterprise/ |
| Twitter |
- |
User's DM won't deleted after logout from Twitter for iOS (com.atebits.xxx.application-state) |
| Twitter |
- |
Broken authentication and invalidated email address leads to account takeover |
| Twitter |
- |
Password reset link not validated. |
| Twitter |
- |
password sent over HTTP |
| Twitter |
- |
XSS ON MOPUB.COM |
| Twitter |
- |
Cookie not marked as secure. |
| Twitter |
- |
XSS vulnerability in video player page |
| Twitter |
- |
Captcha bypass with extension at http://www.mopub.com/about/contact/ |
| Twitter |
- |
[mobile.twitter.com / twitter.com] CSRF protection bypass |
| Twitter |
- |
uclfinal.twitter.com and euro2012.twitter.com are vulnerable to CRIME attack |
| Twitter |
- |
Token remains alive ever after logging out! |
| Twitter |
- |
CSRF in crashlytics.com |