Flickr API Explorer – Force users to execute any API request.

Author:

February 3, 2015February 12, 2015 bbuerhaus bounty programs, cross-site request forgery, csrf, flickr, hackerone, research, security

Flickr has a developer application section called The App Garden. Developers are able to create apps that make API calls to Flickr as an authenticated user via OAuth. I discovered a Cross-Site Request Forgery (CSRF) attack vector that allowed you to attack any user on Flickr.

Continue reading →

Yahoo – Root Access SQL Injection – tw.yahoo.com

Author:

Brett Buerhaus

January 15, 2015February 12, 2015 bbuerhaus bounty programs, hackerone, research, security, sql injection, yahoo

I'll keep this one simple and sweet because anyone reading this blog probably knows what SQL Injection is. I discovered a root access SQL injection on tw.yahoo.com.

Continue reading →

Increasing Your Company’s Security by Encouraging Responsible Disclosures.

Author:

Brett Buerhaus

June 21, 2014February 12, 2015 bbuerhaus bounty programs, security, security research

There's always a gamble for security researchers when reporting vulnerability disclosures to companies. Is the company going to read your report? How will they react to me testing their security? Where can I send this report anyway? These are some of the questions the researcher is going to contemplate before making a decision that can financially impact the company they are trying to help.

Continue reading →