writeups.xyz writeups.xyz / Omar Espino (@Omespino)

Title Vulnerabilities Programs Authors
Write Up – Finapi (Open Banking API) Oauth Credentials Exposed In Plain Text In Android App
Write Up – Android Application Screen Lock Bypass Via ADB Brute Forcing
Write Up – Private Bug Bounty: RCE In EC2 Instance Via SSH With Private Key Exposed On Public Github Repository – $xx,000 USD
Write Up – Private Bug Bounty: Firebase Database Exposed By Misconfiguration – $2,000 USD
Write Up – XSS Stored In files.slack.com Via XML/SVG File (iOS) – $1,000 USD
Write Up – Apple N/A: PII Information, Full Contact List, Main Phone No. And Main Icloud Email Extracted; Bug Patched: Arbitrary Local File Read Via Zip File And Symlinks On Ios Files App.
Write Up – Google VRP Bug Bounty: /etc/environment Local Variables Exfiltrated On Linux Google Earth Pro Desktop App – $1,337 USD
Write Up – XSS Stored In api.media.atlassian.com Via Doc File (iOS)
Write Up – Google VRP N/A: Arbitrary Local File Read (Macos) Via <a> Tag And Null Byte (%00) In Google Earth Pro Desktop App
Write Up – Google VRP N/A: SSRF Bypass With Quadzero In Google Cloud Monitoring
Write Up: Google VRP N/A – Sandboxed Rce As Root On Apigee API Proxies
Write Up – Google Bug Bounty: XSS To Cloud Shell Instance Takeover (Rce As Root) – $5,000 USD
Private bug bounty $$,$$$ USD: “RCE as root on Marathon-Mesos instance”
WRITE UP – GOOGLE BUG BOUNTY: LFI ON PRODUCTION SERVERS in “springboard.google.com” – $13,337 USD
Write up – $1,000 usd in 5 minutes, xss stored in outlook.com (ios browsers)
Write-up - Love story, from closed as informative to $3,500 USD, XSS stored in Yahoo! iOS MaiL app
WRITE UP – TELEGRAM BUG BOUNTY – WHATSAPP N/A [“Blind” XSS Stored iOS in messengers twins, who really care about your security?]
POODLE SSLv3 bug on multiple twitter smtp servers
Internal IPs disclosure
Getting access to prompt debug dialog and serialized tool on main website facebook.com
File Disclosure via .DS_Store file (macOS)