Khanacademy


reports in last 90 days

33

disclosed resolved issues

13

disclosed informative issues

0

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

High Subdomain takeover on healthyhackathon.khanacademy.org and hackweek.khanacademy.org

Improper Access Control - Generic katsuragicsl Issue was not triaged


Time to close: 0 Days and 2 hours
Resolved

No rating Sensitive information/action is stored/done is done using a GET request

Cross-Site Request Forgery (CSRF) dermeister Time to triage: 2 Days and 1 hours


Time to close: 997 Days and 3 hours
Resolved

High Cross-Site Request Forgery (CSRF) vulnerability on API endpoint allows account takeovers

Cross-Site Request Forgery (CSRF) rlaneth Time to triage: 3 Days and 17 hours


Time to close: 192 Days and 4 hours
Resolved

Low Users can make accounts with a fake email address.

None supplied tom2468101214 Issue was not triaged


Time to close: 0 Days and 0 hours
Informative

Medium https://mathfacts.khanacademy.org/ includes code from unprivileged localhost port

Code Injection hanno Time to triage: 1 Days and 15 hours


Time to close: 204 Days and 20 hours
Resolved

Critical Account takeover by changing email

Cross-Site Request Forgery (CSRF) tomoh Time to triage: 0 Days and 2 hours


Time to close: 1 Days and 3 hours
Resolved

Critical Take over of accounts created using Google or Facebook

Cross-Site Request Forgery (CSRF) tomoh Time to triage: 0 Days and 3 hours


Time to close: 9 Days and 23 hours
Resolved

Medium Cross site scripting (content-sniffing)

Cross-site Scripting (XSS) - Generic sarmadkhan Time to triage: 6 Days and 2 hours


Time to close: 19 Days and 19 hours
Resolved

Medium Creating Unlimited Fake Accounts.

None supplied sameerphad72 Issue was not triaged


Time to close: 2 Days and 14 hours
Informative

Medium Possible Take Over Subdomain For Inbound Emails

None supplied rootbakar Time to triage: 4 Days and 2 hours


Time to close: 34 Days and 3 hours
Resolved

Medium POST XSS in https://www.khanacademy.org.tr/ via page_search_query parameter

Cross-site Scripting (XSS) - Generic miguel_santareno Issue was not triaged


Time to close: 0 Days and 15 hours
Resolved

Medium Stored 'undefined' Cross-site Scripting

Cross-site Scripting (XSS) - Stored rootbakar Issue was not triaged


Time to close: 4 Days and 4 hours
Informative

Medium SignUp With Fake Email

Business Logic Errors rootbakar Issue was not triaged


Time to close: 4 Days and 5 hours
Informative

Medium Possible Subdomain Takeover

None supplied cyberdolt Time to triage: 2 Days and 19 hours


Time to close: 1 Days and 2 hours
Resolved

High Rate Limitation Vulnerability (DDos)

Denial of Service hamzar97 Time to triage: 0 Days and 0 hours


Time to close: 392 Days and 4 hours
Duplicate

Medium CSRF token fixation and potential account takeover

Violation of Secure Design Principles co0nan Time to triage: 1 Days and 19 hours


Time to close: 82 Days and 4 hours
Resolved

High XSS through document projects

Cross-site Scripting (XSS) - Stored ethanluismcdonough Time to triage: 5 Days and 19 hours


Time to close: 216 Days and 5 hours
Resolved

High [critical] sql injection by GET method

SQL Injection securitygab Time to triage: 0 Days and 1 hours


Time to close: 3 Days and 22 hours
Resolved

Low Frameset(Frame) html tag is allowed in html editor.(can lead to clickjacking)

UI Redressing (Clickjacking) na5ne3t Time to triage: 1 Days and 5 hours


Time to close: 102 Days and 22 hours
Resolved

Medium Possible to join any class without coache's knowledge & Little Information Disclosure

Business Logic Errors tanim__ Time to triage: 0 Days and 23 hours


Time to close: 22 Days and 21 hours
Resolved

Low Weak Bithdate Validation Implemented on Sign Up

Violation of Secure Design Principles paranoidglitch Issue was not triaged


Time to close: 0 Days and 12 hours
Informative

Low Password Functionality not working correctly

None supplied utkarsh123 Issue was not triaged


Time to close: 0 Days and 10 hours
Informative

No rating The web app's forgot password page is vulnerable to text injection/content spoofing

Command Injection - Generic dermeister Time to triage: 9 Days and 7 hours


Time to close: 187 Days and 21 hours
Resolved

High SSL/TLS Vulnerability at khanacademy.org

Cryptographic Issues - Generic hack40077 Issue was not triaged


Time to close: 2 Days and 9 hours
Informative

Medium OPEN URL REDIRECT through PNG files

Cross-site Scripting (XSS) - Generic dineshvicky Time to triage: 0 Days and 10 hours


Time to close: 162 Days and 8 hours
Resolved