Instacart


reports in last 90 days

33

disclosed resolved issues

5

disclosed informative issues

1

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

No rating Full access to any list

Privilege Escalation sameoldstory Time to triage: 9 Days and 23 hours


Time to close: 4 Days and 18 hours
Resolved

Low XSS at in instacart.com/store/partner_recipe

Cross-site Scripting (XSS) - Generic ak1t4 Issue was not triaged


Time to close: 3 Days and 20 hours
Resolved

Medium XSS in instacart.com/store/partner_recipe

Cross-site Scripting (XSS) - Generic karel_origin Issue was not triaged


Time to close: 3 Days and 11 hours
Resolved

No rating Reverse Tab-nabbing at www.instacart.com/store/partner_recipe?recipe_url=

None supplied ak1t4 Issue was not triaged


Time to close: 3 Days and 15 hours
Resolved

No rating CSRF Trial 14 days express subscription

Cross-Site Request Forgery (CSRF) tolo7010 Issue was not triaged


Time to close: 7 Days and 13 hours
Resolved

High View & add to cart unlisted items via IDOR

Insecure Direct Object Reference (IDOR) bigshaq Issue was not triaged


Time to close: 25 Days and 1 hours
Resolved

Medium Get all instacart emails - missing rate limit on /accounts/register

None supplied 003random Issue was not triaged


Time to close: 6 Days and 5 hours
Resolved

Medium Bruteforcing password reset tokens, could lead to account takeover

Brute Force 003random Issue was not triaged


Time to close: 0 Days and 8 hours
Resolved

No rating WordPress Authentication Denial of Service

Denial of Service clizsec Issue was not triaged


Time to close: 1 Days and 7 hours
Resolved

Low XSS at in instacart.com/store/partner_recipe

Cross-site Scripting (XSS) - Generic ak1t4 Issue was not triaged


Time to close: 3 Days and 20 hours
Resolved

No rating Reverse Tab-nabbing at www.instacart.com/store/partner_recipe?recipe_url=

None supplied ak1t4 Issue was not triaged


Time to close: 3 Days and 15 hours
Resolved

Low Login with Google Not Authenticated on iOS App

Improper Authentication - Generic bhavukjain1 Issue was not triaged


Time to close: 7 Days and 0 hours
Resolved

Medium XSS in instacart.com/store/partner_recipe

Cross-site Scripting (XSS) - Generic karel_origin Issue was not triaged


Time to close: 3 Days and 11 hours
Resolved

No rating READ .svg files by changing .svg into .png extension

Violation of Secure Design Principles codertom Time to triage: 0 Days and 8 hours


Time to close: 4 Days and 18 hours
Resolved

No rating Authentication Bypass in Updating Personal Information

Improper Authentication - Generic footstep Issue was not triaged


Time to close: 15 Days and 1 hours
Informative

Low Access private list metadata

Information Disclosure sameoldstory Time to triage: 5 Days and 19 hours


Time to close: 21 Days and 6 hours
Resolved

No rating User Information sent to client through websockets

Information Disclosure archers123 Time to triage: 0 Days and 15 hours


Time to close: 2 Days and 0 hours
Informative

No rating Seemingly sensitive information at /api/v2/zones

Information Disclosure sameoldstory Time to triage: 0 Days and 1 hours


Time to close: 12 Days and 7 hours
Resolved

No rating Full access to any list

Privilege Escalation sameoldstory Time to triage: 9 Days and 23 hours


Time to close: 4 Days and 18 hours
Resolved

No rating Authorization Bypass in Delivery Chat Logs

Privilege Escalation michiel Issue was not triaged


Time to close: 0 Days and 9 hours
Resolved

No rating Reflected File Download on recipe list search

Command Injection - Generic dsopas Time to triage: 4 Days and 4 hours


Time to close: 58 Days and 22 hours
Informative

No rating Server side request forgery on image upload for lists

Code Injection eboda Time to triage: 5 Days and 20 hours


Time to close: 7 Days and 2 hours
Resolved

No rating Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) malcolmx Issue was not triaged


Time to close: 2 Days and 3 hours
Resolved

No rating Cookie-Based Injection

Cross-site Scripting (XSS) - Generic hussain_0x3c Time to triage: 3 Days and 2 hours


Time to close: 0 Days and 5 hours
Resolved

No rating Issues with uploading list images

Denial of Service cablej Time to triage: 1 Days and 3 hours


Time to close: 5 Days and 0 hours
Resolved