| RCE on build server via misconfigured pip install |
Download of Code Without Integrity Check |
alexbirsan |
Critical |
2021-02-09 |
| X-Forward-For Header allows to bypass access restrictions |
Improper Access Control - Generic |
parzel |
Medium |
2020-10-26 |
| IDOR in locid parameter allowing to view others accounts Profile Locations |
Business Logic Errors |
cocoh__23 |
Low |
2020-09-02 |
| Clickjacking lead to remove review |
None supplied |
alaayousef |
Medium |
2020-09-01 |
| Unauthorized Use of Victim Credit Card |
Privacy Violation |
hk755a |
Low |
2020-08-21 |
| CRITICAL-CLICKJACKING at Yelp Reservations Resulting in exposure of victim Private Data (Email info) + Victim Credit Card MissUse. |
Improper Access Control - Generic |
hk755a |
Medium |
2020-08-21 |
| ClickJacking on IMPORTANT Functions of Yelp |
UI Redressing (Clickjacking) |
hk755a |
Low |
2020-08-21 |
| I.D.O.R TO EDIT ALL USER'S CREDIT CARD INFORMATION+(Partial credit card info disclosure) |
Insecure Direct Object Reference (IDOR) |
hk755a |
Medium |
2020-08-19 |
| I.D.O.R To Order,Book,Buy,reserve On YELP FOR FREE (UNAUTHORIZED USE OF OTHER USER'S CREDIT CARD) |
Insecure Direct Object Reference (IDOR) |
hk755a |
Critical |
2020-08-19 |
| CRITICAL Insecure Direct Object Reference (I.D.O.R) - Link Other User's Credit Card |
Privacy Violation |
hk755a |
High |
2020-08-19 |
| Nginx version disclosure via forbidden page |
Information Disclosure |
overlax |
Low |
2017-11-21 |
| ClickJacking |
UI Redressing (Clickjacking) |
jessepinkman |
None |
2017-11-09 |
| Clickjacking @ Main Domain[www.yelp.com] |
UI Redressing (Clickjacking) |
h4ck3r0ne |
Low |
2017-11-09 |
| [Yelp Blog] Backslash in search string causes JS error |
Violation of Secure Design Principles |
denispugachev |
None |
2017-11-09 |
| Research papers on yelp are getting indexed by google bots. |
Information Disclosure |
us111 |
No rating |
2017-11-09 |
| One of yelp.com url is redirecting to domain which is not yet purchased |
Open Redirect |
us111 |
No rating |
2017-11-09 |
| User can be fooled to Bookmark any restaurant by clickjacking |
UI Redressing (Clickjacking) |
na5ne3t |
Low |
2017-11-09 |
| ClickJacking in editing business name |
UI Redressing (Clickjacking) |
mohammad_obaid |
Low |
2017-11-09 |
| IDNs displayed in unicode in messages/about/talk sections (Homograph Attack) |
Violation of Secure Design Principles |
hk755a |
No rating |
2017-11-09 |
| Password reset token not expiring |
Improper Authentication - Generic |
hk755a |
No rating |
2017-11-09 |
| Leaking sensitive information lead to compromise employer API keys |
Insecure Storage of Sensitive Information |
xsam |
High |
2017-11-09 |
| Yelp.com is vulnerable to SWEET32 attack |
Cryptographic Issues - Generic |
pkkothawade |
No rating |
2017-11-09 |
| Content spoofing on yelp.onelogin |
Open Redirect |
japz |
Low |
2017-11-09 |
| Missing X-Frame-Options header |
UI Redressing (Clickjacking) |
abdul_r3hman |
No rating |
2017-11-09 |
| Click jacking in delete image of user in Yelp |
UI Redressing (Clickjacking) |
mohamedsherif |
Medium |
2017-11-09 |
| Weak Password Policy |
Violation of Secure Design Principles |
k4yy1s |
Low |
2017-11-09 |
| Ngnix Server version disclosure 404 Page! |
Information Disclosure |
babayaga_ |
No rating |
2017-11-09 |
| IDOR(indirect object references) on add friend,complement and send message |
Violation of Secure Design Principles |
w3b7ricks73r |
No rating |
2017-11-09 |
| [engineeringblog.yelp.com] CRLF Injection |
None supplied |
bobrov |
No rating |
2017-11-09 |
| Error Page Text Injection |
Violation of Secure Design Principles |
r0h17 |
None |
2017-11-09 |
| Possible content spoofing due to missing error page |
Violation of Secure Design Principles |
pisarenko |
Low |
2017-11-09 |
| Nginx server version disclosure on engineeringblog |
Information Disclosure |
japz |
None |
2017-11-09 |
| Clickjacking: X-Frame Header Missing |
UI Redressing (Clickjacking) |
vaxo |
No rating |
2017-11-09 |
| Verification of email addresses possible through https://www.yelp.com/signup/facebook |
Information Disclosure |
coder13 |
No rating |
2017-09-16 |
| Firefly's verify_access_token() function does a byte-by-byte comparison of HMAC values. |
Cryptographic Issues - Generic |
edoverflow |
None |
2017-07-10 |
| Clickjacking Vulnerability found on Yelp |
Cross-Site Request Forgery (CSRF) |
hckyguy77 |
Low |
2017-05-12 |
| Information disclosure - emails disclosed in response > staging.seatme.us |
Cross-Site Request Forgery (CSRF) |
quistertow |
No rating |
2017-05-11 |
| CSRF on signup endpoint (auto-api.yelp.com) |
Cross-Site Request Forgery (CSRF) |
denispugachev |
No rating |
2017-03-01 |
| Able to download arbitrary PHP files at yelpblog.com |
Privilege Escalation |
ret2got |
None |
2017-02-06 |
| X.509 certificate validation fails on international vanity domains |
Violation of Secure Design Principles |
tk0 |
None |
2017-02-06 |
| Self-XSS via location cookie city field when getting suggestions for a new location |
Cross-site Scripting (XSS) - Generic |
haquaman |
No rating |
2016-11-30 |
| Requesting Show CheckIn Alert for Non Friend User |
Information Disclosure |
vinesh1989 |
Low |
2016-10-27 |
| Verification of E-Mail address possible on https://biz.yelp.com/login and https://biz.yelp.com/forgot |
Information Disclosure |
badagent |
No rating |
2016-10-27 |
| Bybass The Closing of the account and logged again to your account |
Improper Authentication - Generic |
youssefmahmoud |
No rating |
2016-10-21 |
| Access to internal CMS containing private Data |
Improper Authentication - Generic |
nahamsec |
No rating |
2016-10-07 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles