Grab


reports in last 90 days

23

disclosed resolved issues

1

disclosed informative issues

0

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

Medium Private Grab Messages on Android App can be accessed and cached by Search Engines

None supplied sp1d3rs Time to triage: 0 Days and 14 hours


Time to close: 37 Days and 7 hours
Resolved

Medium [growth.grab.com] Reflected XSS via Base64-encoded "q" param on "my.html" Valentine's microsite

Cross-site Scripting (XSS) - Reflected ysx Time to triage: 0 Days and 0 hours


Time to close: 1 Days and 3 hours
Resolved

Medium Two-factor authentication bypass on Grab Android App

Improper Authentication - Generic sp1d3rs Time to triage: 0 Days and 14 hours


Time to close: 7 Days and 1 hours
Resolved

High Authorization bypass using login by phone option+horizontal escalation possible on Grab Android App

Improper Authentication - Generic sp1d3rs Time to triage: 3 Days and 16 hours


Time to close: 11 Days and 2 hours
Resolved

High www.drivegrab.com SQL injection

SQL Injection jouko Time to triage: 0 Days and 0 hours


Time to close: 6 Days and 2 hours
Resolved

High [Grab Android/iOS] Insecure deeplink leads to sensitive information disclosure

Cross-site Scripting (XSS) - Generic bagipro Time to triage: 28 Days and 15 hours


Time to close: 128 Days and 20 hours
Resolved

High Production secret key leak in config/secrets.yml

Cleartext Storage of Sensitive Information phreak Issue was not triaged


Time to close: 0 Days and 13 hours
Informative

Critical Leaking sensitive information on Github lead full access to all Grab Slack channels

Information Disclosure xsam Time to triage: 0 Days and 0 hours


Time to close: 0 Days and 5 hours
Resolved

Medium Registration enabled on ███grab.com

Information Disclosure grouptherapy Time to triage: 0 Days and 0 hours


Time to close: 2 Days and 20 hours
Resolved

Medium [growth.grab.com] Reflected XSS via Base64-encoded "q" param on "my.html" Valentine's microsite

Cross-site Scripting (XSS) - Reflected ysx Time to triage: 0 Days and 0 hours


Time to close: 1 Days and 3 hours
Resolved

High Leak ██████████ information in real time through API request

Improper Authentication - Generic severus Time to triage: 0 Days and 0 hours


Time to close: 2 Days and 18 hours
Resolved

Medium Unrestricted access to https://██████.█████myteksi.net/

Improper Access Control - Generic reptou Time to triage: 0 Days and 3 hours


Time to close: 1 Days and 4 hours
Resolved

Medium Unrestricted access to Eureka server on ██████

Improper Access Control - Generic reptou Time to triage: 0 Days and 0 hours


Time to close: 10 Days and 22 hours
Resolved

Critical Access Grab_Road BigData Database via Open Presto coordinator

Information Disclosure vinothkumar Time to triage: 0 Days and 11 hours


Time to close: 0 Days and 8 hours
Resolved

Medium stored xss in comments : driver exam

Cross-site Scripting (XSS) - Generic paresh_parmar Time to triage: 6 Days and 4 hours


Time to close: 40 Days and 7 hours
Resolved

High www.drivegrab.com SQL injection

SQL Injection jouko Time to triage: 0 Days and 0 hours


Time to close: 6 Days and 2 hours
Resolved

Medium CSV Injection https://hub.grab.com

Command Injection - Generic poison Time to triage: 0 Days and 4 hours


Time to close: 39 Days and 14 hours
Resolved

Medium Two-factor authentication bypass on Grab Android App

Improper Authentication - Generic sp1d3rs Time to triage: 0 Days and 14 hours


Time to close: 7 Days and 1 hours
Resolved

High Authorization bypass using login by phone option+horizontal escalation possible on Grab Android App

Improper Authentication - Generic sp1d3rs Time to triage: 3 Days and 16 hours


Time to close: 11 Days and 2 hours
Resolved

Medium Private Grab Messages on Android App can be accessed and cached by Search Engines

None supplied sp1d3rs Time to triage: 0 Days and 14 hours


Time to close: 37 Days and 7 hours
Resolved

Critical Blind stored xss [parcel.grab.com] > name parameter

Cross-site Scripting (XSS) - Stored paresh_parmar Time to triage: 0 Days and 14 hours


Time to close: 12 Days and 2 hours
Resolved

Medium [parcel.grab.com] DOM XSS at /assets/bower_components/lodash/perf/

Cross-site Scripting (XSS) - DOM vagg-a-bond Time to triage: 0 Days and 0 hours


Time to close: 2 Days and 1 hours
Resolved

Medium Dom based xss affecting all pages from https://www.grab.com/.

Cross-site Scripting (XSS) - DOM netfuzzer Time to triage: 1 Days and 12 hours


Time to close: 0 Days and 22 hours
Resolved

High Git repository found

Information Disclosure linkks Time to triage: 0 Days and 0 hours


Time to close: 0 Days and 1 hours
Resolved