Olx


reports in last 90 days

55

disclosed resolved issues

6

disclosed informative issues

0

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

Medium web cache deception in https://tradus.com lead to name/user_id enumeration and other info

Violation of Secure Design Principles f_m Time to triage: 11 Days and 0 hours


Time to close: 120 Days and 18 hours
Resolved

No rating Reflected XSS on https://www.olx.co.id/iklan/*.html via "ad_type" parameter

Cross-site Scripting (XSS) - Reflected littlestar Time to triage: 1 Days and 9 hours


Time to close: 52 Days and 23 hours
Resolved

No rating Reflected XSS in www.olx.co.id

Cross-site Scripting (XSS) - Reflected nullcod3r Time to triage: 1 Days and 14 hours


Time to close: 38 Days and 22 hours
Resolved

Critical SQL Injection on https://www.olx.co.id

SQL Injection nullcod3r Time to triage: 8 Days and 15 hours


Time to close: 0 Days and 0 hours
Resolved

Critical SQL Injection https://www.olx.co.id

SQL Injection codeslayer137 Time to triage: 0 Days and 10 hours


Time to close: 50 Days and 17 hours
Resolved

Medium XSS inside HTML Link Tag

Cross-site Scripting (XSS) - Reflected codelatteid Time to triage: 2 Days and 14 hours


Time to close: 4 Days and 19 hours
Resolved

Critical XSS - main page - search[user_id] parameter

Cross-site Scripting (XSS) - Reflected paulochoupina Time to triage: 0 Days and 14 hours


Time to close: 20 Days and 23 hours
Resolved

High Public Vulnerable Version of Confluence https://confluence.olx.com

Information Disclosure hdbreaker Issue was not triaged


Time to close: 210 Days and 9 hours
Resolved

High XSS Reflected at SEARCH >>

Cross-site Scripting (XSS) - Reflected secpentester1337 Issue was not triaged


Time to close: 11 Days and 22 hours
Resolved

Medium Search Page Reflected XSS on sharjah.dubizzle.com through unencoded output of GET parameter in JavaScript

Cross-site Scripting (XSS) - Reflected pajoda Time to triage: 6 Days and 13 hours


Time to close: 154 Days and 0 hours
Resolved

No rating Able to list user's public name, username, phone number, address, facebook ID...

Information Disclosure lukeberner Time to triage: 373 Days and 18 hours


Time to close: 177 Days and 0 hours
Resolved

Medium blog.praca.olx.pl database credentials exposure

Information Disclosure hdbreaker Time to triage: 0 Days and 7 hours


Time to close: 3 Days and 1 hours
Resolved

No rating Reflective XSS at olx.ph

Cross-site Scripting (XSS) - Reflected ibrahimd Time to triage: 4 Days and 0 hours


Time to close: 76 Days and 22 hours
Resolved

No rating Bypass CSP frame-ancestors at olx.co.za, olx.com.gh

UI Redressing (Clickjacking) ibrahimd Time to triage: 1 Days and 0 hours


Time to close: 55 Days and 23 hours
Resolved

No rating XSS in OLX.pl ("title" in new advertisement)

Cross-site Scripting (XSS) - Stored d4w Time to triage: 1 Days and 1 hours


Time to close: 61 Days and 21 hours
Resolved

No rating Cross Site Scripting -> Reflected XSS

Cross-site Scripting (XSS) - Generic konduru-jashwanth Time to triage: 0 Days and 1 hours


Time to close: 0 Days and 1 hours
Resolved

No rating All Active user sessions should be destroyed when user change his password!

Improper Authentication - Generic smii3 Time to triage: 0 Days and 4 hours


Time to close: 423 Days and 19 hours
Resolved

High I found a way to instantly take over ads by other users and change them (IDOR)

Insecure Direct Object Reference (IDOR) kciredor Time to triage: 1 Days and 0 hours


Time to close: 40 Days and 18 hours
Resolved

No rating Stored XSS in buy topup OLX Gold Credits

Cross-site Scripting (XSS) - Generic tsug0d Time to triage: 3 Days and 11 hours


Time to close: 284 Days and 4 hours
Resolved

Medium OLX is vulnerable to clickjaking

None supplied piyushsonikumar1671 Issue was not triaged


Time to close: 8 Days and 1 hours
Informative

Medium Server Version Of https://www.olx.ph/

Information Disclosure jaypogzz Issue was not triaged


Time to close: 1 Days and 2 hours
Informative

Medium Combined attacks leading to stealing user's account

Violation of Secure Design Principles anonymans Time to triage: 0 Days and 18 hours


Time to close: 52 Days and 3 hours
Resolved

No rating XSS @ *.letgo.com

Cross-site Scripting (XSS) - Generic thezawad Time to triage: 0 Days and 4 hours


Time to close: 267 Days and 5 hours
Resolved

High CSRF in delete advertisement on olx.com.eg

Cross-Site Request Forgery (CSRF) mohamedsherif Time to triage: 14 Days and 22 hours


Time to close: 144 Days and 20 hours
Resolved

Critical yaman.olx.ph/wordpress is using a very vulnerable version of WordPress and contains directory listing

Cross-Site Request Forgery (CSRF) mohamedsherif Time to triage: 9 Days and 18 hours


Time to close: 51 Days and 22 hours
Resolved