# Top 100 Upvoted Reports **Top 100 upvoted reports from HackerOne:** 1. [Takeover an account that doesn't have a Shopify ID and more](https://hackerone.com/reports/867513) to Shopify - 2600 upvotes, $23550 2. [Takeover an account that doesn't have a Shopify ID and more](https://hackerone.com/reports/867513) to Shopify - 2600 upvotes, $23550 3. [Takeover an account that doesn't have a Shopify ID and more](https://hackerone.com/reports/867513) to Shopify - 2600 upvotes, $23550 4. [Bypass for #488147 enables stored XSS on https://paypal.com/signin again](https://hackerone.com/reports/510152) to PayPal - 2494 upvotes, $20000 5. [Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO](https://hackerone.com/reports/791775) to Shopify - 1694 upvotes, $16000 6. [Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO](https://hackerone.com/reports/791775) to Shopify - 1694 upvotes, $16000 7. [Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO](https://hackerone.com/reports/791775) to Shopify - 1694 upvotes, $16000 8. [Account takeover via leaked session cookie](https://hackerone.com/reports/745324) to HackerOne - 1447 upvotes, $20000 9. [Arbitrary file read via the UploadsRewriter when moving and issue](https://hackerone.com/reports/827052) to GitLab - 1393 upvotes, $20000 10. [Token leak in security challenge flow allows retrieving victim's PayPal email and plain text password](https://hackerone.com/reports/739737) to PayPal - 1301 upvotes, $15300 11. [RCE on Steam Client via buffer overflow in Server Info](https://hackerone.com/reports/470520) to Valve - 1243 upvotes, $18000 12. [Potential pre-auth RCE on Twitter VPN](https://hackerone.com/reports/591295) to Twitter - 1135 upvotes, $20160 13. [Confidential data of users and limited metadata of programs and reports accessible via GraphQL](https://hackerone.com/reports/489146) to HackerOne - 946 upvotes, $20000 14. [\[Part II\] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation](https://hackerone.com/reports/796808) to Shopify - 849 upvotes, $15000 15. [Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies](https://hackerone.com/reports/737140) to Slack - 799 upvotes, $6500 16. [WannaCrypt โ€œKillswitchโ€](https://hackerone.com/reports/228648) to HackerOne - 790 upvotes, $10000 17. [DoS on PayPal via web cache poisoning](https://hackerone.com/reports/622122) to PayPal - 790 upvotes, $9700 18. [Remote Code Execution on www.semrush.com/my\_reports on Logo upload](https://hackerone.com/reports/403417) to Semrush - 768 upvotes, $10000 19. [H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products](https://hackerone.com/reports/422944) to Shopify - 748 upvotes, $15000 20. [Git flag injection - local file overwrite to remote code execution](https://hackerone.com/reports/658013) to GitLab - 743 upvotes, $12000 21. [Exfiltrate and mutate repository and project data through injected templated service](https://hackerone.com/reports/446585) to GitLab - 727 upvotes, $11000 22. [SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database](https://hackerone.com/reports/531051) to Starbucks - 714 upvotes, $4000 23. [JumpCloud API Key leaked via Open Github Repository.](https://hackerone.com/reports/716292) to Starbucks - 703 upvotes, $4000 24. [RCE via npm misconfig -- installing internal libraries from the public registry](https://hackerone.com/reports/925585) to PayPal - 680 upvotes, $30000 25. [๐Ÿž OS Command Injection at https://sea-web.gold.razer.com/lab/ws-lookup via IP parameter](https://hackerone.com/reports/821962) to Razer - 676 upvotes, $2000 26. [๐Ÿž OS Command Injection at https://sea-web.gold.razer.com/lab/ws-lookup via IP parameter](https://hackerone.com/reports/821962) to Razer - 676 upvotes, $2000 27. [Use-After-Free In IPV6\_2292PKTOPTIONS leading To Arbitrary Kernel R/W Primitives](https://hackerone.com/reports/826026) to PlayStation - 675 upvotes, $10000 28. [Websites Can Run Arbitrary Code on Machines Running the 'PlayStation Now' Application](https://hackerone.com/reports/873614) to PlayStation - 671 upvotes, $15000 29. [IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users](https://hackerone.com/reports/415081) to PayPal - 663 upvotes, $10500 30. [Subdomain Takeover to Authentication bypass ](https://hackerone.com/reports/335330)to Roblox - 659 upvotes, $2500 31. [Webshell via File Upload on ecjobs.starbucks.com.cn](https://hackerone.com/reports/506646) to Starbucks - 657 upvotes, $4000 32. [SQL injection in https://labs.data.gov/dashboard/datagov/csv\_to\_json via User-agent ](https://hackerone.com/reports/297478)to TTS Bug Bounty - 650 upvotes, $2000 33. [Stored XSS on https://paypal.com/signin via cache poisoning](https://hackerone.com/reports/488147) to PayPal - 633 upvotes, $18900 34. [Reflected XSS on https://www.glassdoor.com/employers/sem-dual-lp/](https://hackerone.com/reports/846338) to Glassdoor - 626 upvotes, $1000 35. [Sensitive user information disclosure at bonjour.uber.com/marketplace/\_rpc via the 'userUuid' parameter](https://hackerone.com/reports/542340) to Uber - 611 upvotes, $6500 36. [Time-Based SQL injection at city-mobil.ru](https://hackerone.com/reports/868436) to Mail.ru - 609 upvotes, $15000 37. [Email address of any user can be queried on Report Invitation GraphQL type when username is known](https://hackerone.com/reports/792927) to HackerOne - 605 upvotes, $8500 38. [Getting all the CD keys of any game](https://hackerone.com/reports/391217) to Valve - 597 upvotes, $20000 39. [\[phpobject in cookie\] Remote shell/command execution](https://hackerone.com/reports/141956) to Pornhub - 595 upvotes, $20000 40. [Ability to reset password for account](https://hackerone.com/reports/322985) to Upserve - 595 upvotes, $3500 41. [Stored XSS in Wiki pages](https://hackerone.com/reports/526325) to GitLab - 590 upvotes, $4500 42. [Stored XSS on imgur profile](https://hackerone.com/reports/484434) to Imgur - 586 upvotes, $650 43. [SQL injection at https://sea-web.gold.razer.com/ajax-get-status.php via txid parameter](https://hackerone.com/reports/819738) to Razer - 580 upvotes, $2000 44. [Bypassing Digits origin validation which leads to account takeover](https://hackerone.com/reports/129873) to Twitter - 576 upvotes, $5040 45. [Customer private program can disclose email any users through invited via username](https://hackerone.com/reports/807448) to HackerOne - 557 upvotes, $7500 46. [Github Token Leaked publicly for https://github.sc-corp.net](https://hackerone.com/reports/396467) to Snapchat - 552 upvotes, $15000 47. [Request smuggling on admin-official.line.me could lead to account takeover](https://hackerone.com/reports/740037) to LINE - 547 upvotes, $9000 48. [My Expense Report resulted in a Server-Side Request Forgery (SSRF) on Lyft](https://hackerone.com/reports/885975) to Lyft - 547 upvotes, $0 49. [Local files could be overwritten in GitLab, leading to remote command execution](https://hackerone.com/reports/587854) to GitLab - 531 upvotes, $12000 50. [Privilege Escalation From user to SYSTEM via unauthenticated command execution ](https://hackerone.com/reports/544928)to Ubiquiti Inc. - 531 upvotes, $16109 51. [SQL Injection in https://api-my.pay.razer.com/inviteFriend/getInviteHistoryLog](https://hackerone.com/reports/811111) to Razer - 528 upvotes, $2000 52. [Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation](https://hackerone.com/reports/910300) to Shopify - 527 upvotes, $22500 53. [Stealing Zomato X-Access-Token: in Bulk using HTTP Request Smuggling on api.zomato.com](https://hackerone.com/reports/771666) to Zomato - 521 upvotes, $5000 54. [The return of the ๏ผœ](https://hackerone.com/reports/639684) to Rockstar Games - 518 upvotes, $1000 55. [RCE and Complete Server Takeover of http://www.โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ.starbucks.com.sg/](https://hackerone.com/reports/502758) to Starbucks - 515 upvotes, $4000 56. [Shopify Stocky App OAuth Misconfiguration](https://hackerone.com/reports/740989) to Shopify - 508 upvotes, $5000 57. [\[Grab Android/iOS\] Insecure deeplink leads to sensitive information disclosure](https://hackerone.com/reports/401793) to Grab - 503 upvotes, $7500 58. [SSRF in Exchange leads to ROOT access in all instances](https://hackerone.com/reports/341876) to Shopify - 491 upvotes, $25000 59. [Password theft login.newrelic.com via Request Smuggling](https://hackerone.com/reports/498052) to New Relic - 475 upvotes, $3000 60. [Able to Become Admin for Any LINE Official Account](https://hackerone.com/reports/698579) to LINE - 474 upvotes, $4750 61. [Remote Code Execution in Slack desktop apps + bonus](https://hackerone.com/reports/783877) to Slack - 469 upvotes, $1750 62. [BAD Code ! ](https://hackerone.com/reports/180074)to Paragon Initiative Enterprises - 468 upvotes, $0 63. [Reflected XSS in OAUTH2 login flow ](https://hackerone.com/reports/697099)to LINE - 462 upvotes, $1989 64. [Steal ALL collateral during liquidation by exploiting lack of validation in `flip.kick`](https://hackerone.com/reports/684092) to Maker Ecosystem Growth Holdings, Inc - 461 upvotes, $50000 65. [profile-picture name parameter with large value lead to DoS for other users and programs on the platform](https://hackerone.com/reports/764434) to HackerOne - 455 upvotes, $2500 66. [SQL injection on contactws.contact-sys.com in TScenObject action ScenObjects leads to remote code execution](https://hackerone.com/reports/816254) to QIWI - 450 upvotes, $5500 67. [XSS in steam react chat client](https://hackerone.com/reports/409850) to Valve - 444 upvotes, $7500 68. [XSS vulnerable parameter in a location hash](https://hackerone.com/reports/146336) to Slack - 435 upvotes, $1100 69. [How the Bug stole hacking](https://hackerone.com/reports/762510) to HackerOne - 435 upvotes, $0 70. [Cross-Site-Scripting on www.tiktok.com and m.tiktok.com leading to Data Exfiltration](https://hackerone.com/reports/968082) to TikTok - 433 upvotes, $3860 71. [Project Template functionality can be used to copy private project data, such as repository, confidential issues, snippets, and merge requests](https://hackerone.com/reports/689314) to GitLab - 431 upvotes, $12000 72. [Blind SQL Injection ](https://hackerone.com/reports/758654)to InnoGames - 427 upvotes, $2000 73. [Access to multiple production Grafana dashboards](https://hackerone.com/reports/663628) to Snapchat - 423 upvotes, $10000 74. [Open prod Jenkins instance](https://hackerone.com/reports/231460) to Snapchat - 419 upvotes, $15000 75. [touch.mail.ru / e.mail.ru memory content disclosure](https://hackerone.com/reports/513236) to Mail.ru - 406 upvotes, $10000 76. [Panorama UI XSS leads to Remote Code Execution via Kick/Disconnect Message](https://hackerone.com/reports/631956) to Valve - 404 upvotes, $9000 77. [CRLF injection](https://hackerone.com/reports/446271) to Twitter - 404 upvotes, $2940 78. [Unrestricted file upload on \[ambassador.mail.ru\] ](https://hackerone.com/reports/854032)to Mail.ru - 402 upvotes, $3000 79. [Employee's GitHub Token Found In Travis CI Build Logs](https://hackerone.com/reports/496937) to Grammarly - 388 upvotes, $5000 80. [Account Takeover worki.ru](https://hackerone.com/reports/744662) to Mail.ru - 388 upvotes, $1700 81. [gitlab-workhorse bypass in Gitlab::Middleware::Multipart allowing files in `allowed_paths` to be read](https://hackerone.com/reports/850447) to GitLab - 387 upvotes, $10000 82. [H1514 Server Side Template Injection in Return Magic email templates?](https://hackerone.com/reports/423541) to Shopify - 384 upvotes, $10000 83. [Denial of service to WP-JSON API by cache poisoning the CORS allow origin header](https://hackerone.com/reports/591302) to Automattic - 383 upvotes, $550 84. [Remote code execution on Basecamp.com](https://hackerone.com/reports/365271) to Basecamp - 383 upvotes, $5000 85. [Blind XSS on image upload](https://hackerone.com/reports/1010466) to CS Money - 382 upvotes, $1000 86. [Stored XSS Vulnerability](https://hackerone.com/reports/643908) to WordPress - 381 upvotes, $500 87. [Read-only application can publish/delete fleets](https://hackerone.com/reports/1032468) to Twitter - 377 upvotes, $7700 88. [Chained Bugs to Leak Victim's Uber's FB Oauth Token](https://hackerone.com/reports/202781) to Uber - 375 upvotes, $7500 89. [Reflected XSS and sensitive data exposure, including payment details, on lioncityrentals.com.sg](https://hackerone.com/reports/340431) to Uber - 364 upvotes, $4000 90. [Cross-organization data access in city-mobil.ru](https://hackerone.com/reports/863983) to Mail.ru - 363 upvotes, $8000 91. [SQL injection at fleet.city-mobil.ru](https://hackerone.com/reports/881901) to Mail.ru - 360 upvotes, $10000 92. [Account TakeOver at my.33slona.ru](https://hackerone.com/reports/773519) to Mail.ru - 359 upvotes, $1700 93. [Account TakeOver at my.33slona.ru](https://hackerone.com/reports/773519) to Mail.ru - 359 upvotes, $1700 94. [RCE on shared.mail.ru due to "widget" plugin](https://hackerone.com/reports/518637) to Mail.ru - 358 upvotes, $10000 95. [H1514 Ability to MiTM Shopify PoS Session to Takeover Communications](https://hackerone.com/reports/423467) to Shopify - 351 upvotes, $13337 96. [URL link spoofing](https://hackerone.com/reports/481472) to Slack - 349 upvotes, $250 97. [Bypass of GitLab CI runner slash fix in YAML validation](https://hackerone.com/reports/409395) to GitLab - 348 upvotes, $12000 98. [JSON serialization of any Project model results in all Runner tokens being exposed through Quick Actions](https://hackerone.com/reports/509924) to GitLab - 347 upvotes, $12000 99. [Server Side Request Forgery (SSRF) at app.hellosign.com leads to AWS private keys disclosure](https://hackerone.com/reports/923132) to Dropbox - 346 upvotes, $4913 100. [Stored XSS in wordpress.com](https://hackerone.com/reports/733248) to Automattic - 345 upvotes, $650 Back --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://wiki.hackerium.io/writeups/top-100-upvoted-reports.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.