Skip to content

Latest commit

 

History

History
157 lines (156 loc) · 17.5 KB

TOPLEGALROBOT.md

File metadata and controls

157 lines (156 loc) · 17.5 KB

Top reports from Legal Robot program at HackerOne:

  1. Remote Code Execution (upload) to Legal Robot - 60 upvotes, $0
  2. Subdomain takeover at api.legalrobot.com due to non-used domain in Modulus.io. to Legal Robot - 33 upvotes, $0
  3. Privilege Escalation to Admin-level Account to Legal Robot - 24 upvotes, $0
  4. Intercom chat session information persists after logout to Legal Robot - 20 upvotes, $0
  5. Bypass 8 chars password complexity with 6 chars only due to insecure password reset functionaliy to Legal Robot - 19 upvotes, $0
  6. Big XSS vulnerability! to Legal Robot - 19 upvotes, $0
  7. AWS hosting bucket for Legal Robots set as public browse and list contents: s3://legalrobot to Legal Robot - 18 upvotes, $0
  8. Password complexity requirements not enforced to Legal Robot - 17 upvotes, $0
  9. Homograph IDNs displayed in Description to Legal Robot - 16 upvotes, $0
  10. Near-duplicate accounts allowed with ignored email mutations to Legal Robot - 14 upvotes, $0
  11. 2FA manual entry uses wrong encoding to Legal Robot - 14 upvotes, $0
  12. Legal Robot AWS S3 Bucket Directory Listing to Legal Robot - 14 upvotes, $0
  13. content spoofing to Legal Robot - 13 upvotes, $0
  14. Domain takeover (legalrobot.co.za) to Legal Robot - 13 upvotes, $0
  15. Code injection to Legal Robot - 13 upvotes, $0
  16. TabNabbing issue (due to taget=_blank) to Legal Robot - 13 upvotes, $0
  17. Email Length Verification to Legal Robot - 13 upvotes, $0
  18. Information Disclosure on rate limit defense mechanism to Legal Robot - 12 upvotes, $0
  19. 2FA Error Handling on Google Authenticator to Legal Robot - 12 upvotes, $0
  20. Update any profile to Legal Robot - 12 upvotes, $0
  21. Change password session fixed to Legal Robot - 12 upvotes, $0
  22. Password complexity not evenly enforced to Legal Robot - 12 upvotes, $0
  23. AWS S3 website can't serve security headers, may allow clickjacking to Legal Robot - 11 upvotes, $0
  24. Password reset access control to Legal Robot - 11 upvotes, $0
  25. News Feed Detected to Legal Robot - 11 upvotes, $0
  26. I cant login to my account to Legal Robot - 11 upvotes, $0
  27. design issue exists on login page to Legal Robot - 11 upvotes, $0
  28. Information Disclosure in AWS S3 Bucket to Legal Robot - 10 upvotes, $0
  29. Improper validation of parameters while creating issues to Legal Robot - 10 upvotes, $0
  30. Logic issue in email change process to Legal Robot - 10 upvotes, $0
  31. Failed OutLink on Terms of Service to Legal Robot - 10 upvotes, $0
  32. Venturebeat.com URL should be HTTPS to Legal Robot - 10 upvotes, $0
  33. Legal Robot to Legal Robot - 10 upvotes, $0
  34. Exposes a series of other private credentials to Legal Robot - 10 upvotes, $0
  35. Logic issue in email change process to Legal Robot - 10 upvotes, $0
  36. Missing restriction on string size in profile fields to Legal Robot - 9 upvotes, $0
  37. Missing link to 2FA recovery code to Legal Robot - 9 upvotes, $0
  38. Pages don't render in old browsers like IE11 to Legal Robot - 9 upvotes, $0
  39. Meta characters are not filtered into full name on profile page to Legal Robot - 9 upvotes, $0
  40. Missing link to TOTP manual enroll option to Legal Robot - 9 upvotes, $0
  41. first name and last name restrictions bypass to Legal Robot - 9 upvotes, $0
  42. User Information leak allows user to bypass email verification. to Legal Robot - 8 upvotes, $0
  43. User Information sent to client through websockets to Legal Robot - 8 upvotes, $0
  44. User enumeration to Legal Robot - 8 upvotes, $0
  45. Non-functional 2FA recovery codes to Legal Robot - 8 upvotes, $0
  46. [New Feature] Password history check to Legal Robot - 8 upvotes, $0
  47. [Cross-domain Referer leakage] Password reset token leakage via referer to Legal Robot - 8 upvotes, $0
  48. Change password logic inversion to Legal Robot - 8 upvotes, $0
  49. Password reset token issue to Legal Robot - 8 upvotes, $0
  50. External links to be in HTTP to Legal Robot - 8 upvotes, $0
  51. Clickjacking in Legalrobot app to Legal Robot - 8 upvotes, $0
  52. UI Redressing ( ClickJacking ) Issue on Information submit form to Legal Robot - 7 upvotes, $0
  53. CSRF to Legal Robot - 7 upvotes, $0
  54. - Guessing registered users in legalrobot.com to Legal Robot - 7 upvotes, $0
  55. SSL Issue on legalrobot.com to Legal Robot - 7 upvotes, $0
  56. CORS (Cross-Origin Resource Sharing) to Legal Robot - 7 upvotes, $0
  57. Validation bypass on user profile to Legal Robot - 7 upvotes, $0
  58. Users with 2FA can have multiple sessions to Legal Robot - 7 upvotes, $0
  59. Token leakage by referrer to Legal Robot - 7 upvotes, $0
  60. No notification on change password feature to Legal Robot - 7 upvotes, $0
  61. Profile shows incorrect account creation date to Legal Robot - 7 upvotes, $0
  62. Enhancement: email confirmation for 2FA recovery to Legal Robot - 7 upvotes, $0
  63. 2FA user enumeration via password reset to Legal Robot - 7 upvotes, $0
  64. Missing Issuer parameter on TOTP 2FA to Legal Robot - 7 upvotes, $0
  65. Profile fields validation bypass to Legal Robot - 7 upvotes, $0
  66. User enumeration from failed login error message to Legal Robot - 7 upvotes, $0
  67. Missing access control at password change to Legal Robot - 7 upvotes, $0
  68. 2 vulns to Legal Robot - 6 upvotes, $0
  69. Email spoofing-fake mail from your mail domain server to Legal Robot - 6 upvotes, $0
  70. Registration bypass using OAuth logical bug to Legal Robot - 6 upvotes, $0
  71. SPF Issue to Legal Robot - 6 upvotes, $0
  72. missing SPF for legalrobot.com to Legal Robot - 6 upvotes, $0
  73. Server version disclosure to Legal Robot - 6 upvotes, $0
  74. 2FA user enumeration via login to Legal Robot - 6 upvotes, $0
  75. Password Reset page Session Fixation to Legal Robot - 6 upvotes, $0
  76. observer.com URL should HTTPS to Legal Robot - 6 upvotes, $0
  77. Futureoflife organization URL should be HTTPS to Legal Robot - 6 upvotes, $0
  78. No notification of change email feature to Legal Robot - 6 upvotes, $0
  79. Click Jacking to Legal Robot - 5 upvotes, $0
  80. Missing security headers, possible clickjacking to Legal Robot - 5 upvotes, $0
  81. No valid SPF record to Legal Robot - 5 upvotes, $0
  82. Password reset form ignores email field to Legal Robot - 5 upvotes, $0
  83. CSP script-src includes "unsafe-inline" to Legal Robot - 5 upvotes, $0
  84. Missing homograph filter character to Legal Robot - 5 upvotes, $0
  85. Wrong password validation message to Legal Robot - 5 upvotes, $0
  86. [UX] Notify user on likely email address typo to Legal Robot - 5 upvotes, $0
  87. sql injection vulnerablity found to Legal Robot - 5 upvotes, $0
  88. External links should be served in HTTPS. to Legal Robot - 5 upvotes, $0
  89. Improper Implementation of Password strength checker to Legal Robot - 5 upvotes, $0
  90. Amazon Bucket Accessible (http://legalrobot.s3.amazonaws.com/) to Legal Robot - 4 upvotes, $0
  91. Clickjacking: X-Frame-Options header missing to Legal Robot - 4 upvotes, $0
  92. Rate limiting on Email confirmation link to Legal Robot - 4 upvotes, $0
  93. SWEET32 TLS attack to Legal Robot - 4 upvotes, $0
  94. UX: JS error on Password Safety link to Legal Robot - 4 upvotes, $0
  95. Password complexity ignores empty spaces to Legal Robot - 4 upvotes, $0
  96. No length limit in invite_code can cause server degradation to Legal Robot - 4 upvotes, $0
  97. Autocomplete feature to Legal Robot - 4 upvotes, $0
  98. UX: JS error on Password Safety link to Legal Robot - 4 upvotes, $0
  99. app.legalrobot.com opens FireFox but not in FireFox ESR to Legal Robot - 4 upvotes, $0
  100. No error or notification on Reset password page to Legal Robot - 4 upvotes, $0
  101. Broken links for stale domains may be leveraged for Phishing, Misinformation, Defaming to Legal Robot - 4 upvotes, $0
  102. Header Injection In app.legalrobot.com to Legal Robot - 4 upvotes, $0
  103. Cloudflare issue: Error 521 Ray ID: 2e7ea7f706ea4056 • 2016-09-25 12:59:55 UTC Web server is down to Legal Robot - 4 upvotes, $0
  104. Rate limiting on password reset links to Legal Robot - 3 upvotes, $0
  105. unsecured legalrobot.co.uk assets to Legal Robot - 3 upvotes, $0
  106. Account profile shows encryption recovery box for all users to Legal Robot - 3 upvotes, $0
  107. Token leakage by referrer header & analytics to Legal Robot - 3 upvotes, $0
  108. Incorrect email content when disabling 2FA to Legal Robot - 3 upvotes, $0
  109. Lengthy manual entry of 2FA secret to Legal Robot - 3 upvotes, $0
  110. Information disclosure to Legal Robot - 3 upvotes, $0
  111. S3 ACL misconfiguration to Legal Robot - 3 upvotes, $0
  112. Bypass email verification when register new account to Legal Robot - 3 upvotes, $0
  113. 2FA manual entry uses wrong encoding to Legal Robot - 3 upvotes, $0
  114. Password Complexity to Legal Robot - 3 upvotes, $0
  115. Issues with Forgot password Error Handling to Legal Robot - 3 upvotes, $0
  116. Unable to change profile picture to Legal Robot - 3 upvotes, $0
  117. Cross Site WebSocket Hijacking to Legal Robot - 3 upvotes, $0
  118. Non-HTTPS link on blog to Legal Robot - 3 upvotes, $0
  119. Legal | Application is Missing CSP(Content Security Policy) Header to Legal Robot - 2 upvotes, $0
  120. Possible content spoofing due to missing error page to Legal Robot - 2 upvotes, $0
  121. Mixed Content over HTTPS to Legal Robot - 2 upvotes, $0
  122. Incorrect error message to Legal Robot - 2 upvotes, $0
  123. Coding error ! to Legal Robot - 2 upvotes, $0
  124. No alert in verify email address with wrong input to Legal Robot - 2 upvotes, $0
  125. Error the message with already e-mail to Legal Robot - 2 upvotes, $0
  126. Allowance of Meta/Null characters to Legal Robot - 2 upvotes, $0
  127. Add arbitrary value in reset password cookie to Legal Robot - 2 upvotes, $0
  128. Null Byte Injection in all fields of Profile to Legal Robot - 2 upvotes, $0
  129. No DMARC Record in legalrobot-uat.com to Legal Robot - 1 upvotes, $0
  130. Email spoofing possible via Legal Robot domain to Legal Robot - 1 upvotes, $0
  131. Tampering the mail id on chatbox to Legal Robot - 1 upvotes, $0
  132. Weak Cryptography for Passwords to Legal Robot - 1 upvotes, $0
  133. Name can't be numbers or email to Legal Robot - 1 upvotes, $0
  134. Password Restriction On Change to Legal Robot - 1 upvotes, $0
  135. The websocket traffic is not secure enough to Legal Robot - 1 upvotes, $0
  136. Registration Allows Disposable Email Addresses to Legal Robot - 1 upvotes, $0
  137. Password Policy Bypass to Legal Robot - 1 upvotes, $0
  138. clickjacking at http://mailboxes.legalrobot-uat.com/ to Legal Robot - 1 upvotes, $0
  139. Profile fields validation mismatch to Legal Robot - 1 upvotes, $0
  140. Information Discloser to Legal Robot - 1 upvotes, $0
  141. cross site web socket hijacking to Legal Robot - 1 upvotes, $0
  142. XSS on app.legalrobot.com to Legal Robot - 1 upvotes, $0
  143. Chat exposed using cookie to Legal Robot - 1 upvotes, $0
  144. Two accounts can be made with same password to Legal Robot - 1 upvotes, $0
  145. https://www.legalrobot.com/ to Legal Robot - 1 upvotes, $0
  146. SSL BREACH attack (CVE-2013-3587) to Legal Robot - 0 upvotes, $0
  147. LUCKY13 (CVE-2013-0169) effects legalrobot.com to Legal Robot - 0 upvotes, $0
  148. Subdomain misconfiguration [mail.legalrobot.com] to Legal Robot - 0 upvotes, $0
  149. Lack of input validation in e-mail & user name, job title, company name field to Legal Robot - 0 upvotes, $0
  150. Create Api Key is not working to Legal Robot - 0 upvotes, $0
  151. Special characters are not filtered out on profile fields to Legal Robot - 0 upvotes, $0
  152. CSRF Issue to Legal Robot - 0 upvotes, $0
  153. Invalid Email Verification to Legal Robot - 0 upvotes, $0
  154. Improper error message to Legal Robot - 0 upvotes, $0
  155. Non-secure requests are not automatically upgraded to HTTPS to Legal Robot - 0 upvotes, $0