Irccloud


reports in last 90 days

31

disclosed resolved issues

8

disclosed informative issues

0

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

High [IRCCloud Android] Theft of arbitrary files leading to token leakage

Privacy Violation bagipro Time to triage: 5 Days and 15 hours


Time to close: 0 Days and 3 hours
Resolved

Medium [IRCCloud Android] Opening arbitrary URLs/XSS in SAMLAuthActivity

None supplied bagipro Issue was not triaged


Time to close: 0 Days and 3 hours
Resolved

Medium [IRCCloud Android] XSS in ImageViewerActivity

None supplied bagipro Issue was not triaged


Time to close: 0 Days and 3 hours
Resolved

Low Missing robots exclusion header for user uploads

Improper Access Control - Generic d0rkerdevil Issue was not triaged


Time to close: 18 Days and 9 hours
Resolved

No rating Exposed, outdated nginx server (v1.4.6) potentially vulnerable to heap-based buffer overflow & RCE

Memory Corruption - Generic cha5m Issue was not triaged


Time to close: 0 Days and 5 hours
Resolved

No rating Cross Site Scripting(XSS) on IRCCloud Badges Page (using Parameter Pollution)

Cross-site Scripting (XSS) - Generic rohitdua Time to triage: 0 Days and 2 hours


Time to close: 0 Days and 1 hours
Resolved

No rating Inadequate input validation on API endpoint leading to self denial of service and increased system load.

Denial of Service mantis Time to triage: 7 Days and 21 hours


Time to close: 5 Days and 6 hours
Resolved

No rating Email verification links still valid after changing it 2x

Violation of Secure Design Principles jackds Issue was not triaged


Time to close: 0 Days and 14 hours
Informative

No rating Weak password policy

Improper Authentication - Generic internetwache Issue was not triaged


Time to close: 0 Days and 0 hours
Informative

No rating Password type input with auto-complete enabled

Violation of Secure Design Principles harikrishnan_c Issue was not triaged


Time to close: 0 Days and 0 hours
Informative

No rating Missing Character Restriction

Violation of Secure Design Principles harikrishnan_c Issue was not triaged


Time to close: 104 Days and 3 hours
Informative

No rating Unvalidated Channel names causes IRC Command Injection

Cross-Site Request Forgery (CSRF) mantis Time to triage: 0 Days and 0 hours


Time to close: 0 Days and 5 hours
Resolved

No rating Bruteforce protection not enabled on the login page https://www.irccloud.com/

Cryptographic Issues - Generic born2hack Issue was not triaged


Time to close: 44 Days and 5 hours
Informative

No rating Persistent Cross Site Scripting within the IRCCloud Pastebin

Cross-site Scripting (XSS) - Generic mantis Issue was not triaged


Time to close: 0 Days and 0 hours
Resolved

No rating CSRF to Account Take Over Bug

Cross-Site Request Forgery (CSRF) defmax Issue was not triaged


Time to close: 1 Days and 4 hours
Resolved

No rating Host Header Injection - irccloud.com

Violation of Secure Design Principles ethicalhacker Issue was not triaged


Time to close: 2 Days and 0 hours
Resolved

No rating Log Out Cross site Request Forgery

Cross-Site Request Forgery (CSRF) gunda Issue was not triaged


Time to close: 0 Days and 5 hours
Resolved

No rating User Account Creation CSRF

Cross-Site Request Forgery (CSRF) chandrakant Time to triage: 0 Days and 3 hours


Time to close: 3 Days and 3 hours
Resolved

No rating Reflected XSS in Pastebin-view

Cross-site Scripting (XSS) - Generic pseudochu Issue was not triaged


Time to close: 0 Days and 6 hours
Resolved

No rating Bruteforcing irccloud login

Violation of Secure Design Principles eronx Issue was not triaged


Time to close: 15 Days and 10 hours
Resolved

No rating Login CSRF can be bypassed (Similar approach to previous one).

Cross-Site Request Forgery (CSRF) uname Issue was not triaged


Time to close: 15 Days and 3 hours
Resolved

No rating iOS application does not destroy session upon logout.

Improper Authentication - Generic uname Issue was not triaged


Time to close: 4 Days and 9 hours
Resolved

No rating "SESSION" Cookie without HttpOnly flag set

Improper Authentication - Generic ashesh Issue was not triaged


Time to close: 0 Days and 3 hours
Informative

No rating Dangerous Persistent xss

Cross-site Scripting (XSS) - Generic reporter Issue was not triaged


Time to close: 0 Days and 0 hours
Resolved

No rating Sign up CSRF

Cross-Site Request Forgery (CSRF) eronx Time to triage: 1 Days and 11 hours


Time to close: 2 Days and 4 hours
Resolved