Zomato


reports in last 90 days

97

disclosed resolved issues

7

disclosed informative issues

0

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

High Information Disclosure through Sentry Instance ███████

Information Exposure Through Debug Information chajer Issue was not triaged


Time to close: 0 Days and 4 hours
Resolved

High Able to manipulate order amount by removing cancellation amount and cause financial impact

Business Logic Errors sjvino Time to triage: 0 Days and 5 hours


Time to close: 12 Days and 15 hours
Resolved

Medium Self-Stored XSS - Chained with login/logout CSRF

Cross-site Scripting (XSS) - Stored madguyyy Time to triage: 1 Days and 19 hours


Time to close: 1 Days and 22 hours
Resolved

No rating [www.zomato.com] IDOR - Delete/Deactivate any special menu of any Restaurants from Zomato

Insecure Direct Object Reference (IDOR) prateek_0490 Issue was not triaged


Time to close: 17 Days and 20 hours
Resolved

High [www.zomato.com] Abusing LocalParams to Inject Code through ███████ query

None supplied bigshaq Time to triage: 0 Days and 16 hours


Time to close: 1 Days and 1 hours
Resolved

High Login to any account with the emailaddress

Improper Authentication - Generic gerben_javado Time to triage: 0 Days and 6 hours


Time to close: 9 Days and 3 hours
Resolved

No rating [www.zomato.com] Boolean SQLi - /█████.php

SQL Injection gerben_javado Issue was not triaged


Time to close: 49 Days and 19 hours
Resolved

No rating [www.zomato.com] Boolean SQLi - /███████.php

SQL Injection gerben_javado Issue was not triaged


Time to close: 54 Days and 13 hours
Resolved

Low Open Redirect On Your Login Panel

Open Redirect chiraggupta8769- Issue was not triaged


Time to close: 0 Days and 1 hours
Informative

Critical [https://reviews.zomato.com] Time Based SQL Injection

SQL Injection samengmg Issue was not triaged


Time to close: 3 Days and 2 hours
Resolved

Low IDOR to delete images from other stores

Insecure Direct Object Reference (IDOR) emitrani Time to triage: 0 Days and 0 hours


Time to close: 1 Days and 17 hours
Resolved

Low Bypassing the SMS sending limit for download app link.

Brute Force vipinbihari Issue was not triaged


Time to close: 0 Days and 0 hours
Duplicate

None Sending Unlimited Emails to anyone from zomato mail server.

Brute Force vipinbihari Issue was not triaged


Time to close: 0 Days and 0 hours
Informative

Low credentials leakage in public lead to view dev websites

Information Disclosure xsam Issue was not triaged


Time to close: 0 Days and 0 hours
Resolved

Critical [www.zomato.com] SQLi - /php/██████████ - item_id

SQL Injection gerben_javado Time to triage: 0 Days and 4 hours


Time to close: 0 Days and 8 hours
Resolved

Medium Open AWS S3 bucket leaks all Images uploaded to Zomato chat

Improper Authentication - Generic yashrs Time to triage: 0 Days and 1 hours


Time to close: 0 Days and 1 hours
Resolved

Medium [www.zomato.com] Availing Zomato Gold membership for free by tampering plan id(s)

Business Logic Errors pasw Issue was not triaged


Time to close: 0 Days and 0 hours
Resolved

High [www.zomato.com] Blind XSS in one of the admin dashboard

Cross-site Scripting (XSS) - Generic khoiasd Time to triage: 0 Days and 0 hours


Time to close: 4 Days and 15 hours
Resolved

High [api.zomato.com] Able to manipulate order amount

Business Logic Errors pasw Time to triage: 0 Days and 0 hours


Time to close: 1 Days and 9 hours
Resolved

Low Improper validation allows user to unlock Zomato Gold multiple times at the same restaurant within one day

Business Logic Errors dertajora Time to triage: 0 Days and 2 hours


Time to close: 1 Days and 15 hours
Resolved

Medium [www.zomato.com] CORS Misconfiguration, could lead to disclosure of sensitive information

None supplied ahd911 Issue was not triaged


Time to close: 35 Days and 12 hours
Resolved

No rating [www.zomato.com] Blind XSS in one of the Admin Dashboard

Cross-site Scripting (XSS) - Stored sandeep_hodkasia Time to triage: 0 Days and 0 hours


Time to close: 0 Days and 17 hours
Resolved

Medium [auth2.zomato.com] Reflected XSS at `oauth2/fallbacks/error` | ORY Hydra an OAuth 2.0 and OpenID Connect Provider

Cross-site Scripting (XSS) - Reflected sudi Time to triage: 0 Days and 6 hours


Time to close: 29 Days and 16 hours
Resolved

Low Reflected XSS on developers.zomato.com

Cross-site Scripting (XSS) - Reflected areizen Time to triage: 0 Days and 1 hours


Time to close: 0 Days and 7 hours
Resolved

Critical [www.zomato.com] SQLi - /php/██████████ - item_id

SQL Injection gerben_javado Time to triage: 0 Days and 4 hours


Time to close: 0 Days and 8 hours
Resolved