🟡 Race in OAuth 2 API implementations
Race Condition allows a malicious application to obtain several access_token and refresh_token pairs while only one pair should be generated. Further, it leads to authorization bypass when access would be revoked.
| Url | Type | Bounty |
|---|---|---|
| https://hackerone.com/reports/55140 | Authentication Bypass | $2500 |
🟡 Race in Performing retest allows duplicated payments
By executing multiple requests to confirm a retest at the same time, a malicious user is paid multiple times for the retest. This allows for stealing money from HackerOne, which could go unnoticed by both HackerOne and the attacker (me).
| Url | Type | Bounty |
|---|---|---|
| https://hackerone.com/reports/429026 | Double payments | $750 |
🟡 Redeem gift cards multiple times which leads to free "money"
Race Condition vulnerability which allows to redeem gift cards multiple times. This how a s/he can easily buy stuff just bying one gift card and redeem it over and over again.
| Url | Type | Bounty |
|---|---|---|
| https://hackerone.com/reports/759247 | Payements | $1500 |
🟢 Race Condition leads to undeletable group member
It was a small race condition bug in which a group user couldn't be removed from the group even by the admin after they join.
| Url | Type | Bounty |
|---|---|---|
| https://hackerone.com/reports/604534 | Permissions | $500 |
🟢 Race condition in adding team members
The researcher reported a race condition when adding new staff members that would allow bypassing the staff account limit for all plans. We fixed this issue by adding an exclusive lock around the account creation process.
| Url | Type | Bounty |
|---|---|---|
| https://hackerone.com/reports/176127 | Limit bypass | $500 |