Ably Bug Bounty Acknowledgements

Copy link to clipboard

Your security contribution matters.

We take security seriously, for our clients and our products, so we appreciate the lengths you went to in submitting your findings.

We have rewarded over 60 bounties to 30 researchers in the 18 months our Bug Bounty program has been running this is a complete list of all our successful researchers. Please bear in mind when reporting a vulnerability that not all the findings below have been remediated yet.


ResearcherVulnerabilitySeverity (CVSS)
AnonymousRemote code execution via the website pricing calculatorCritical (10)
CyrexIDOR to Delete Anyone's QueuesCritical (9.6)
CyrexStandard User is able to configure API data on accounts/:id/apps/:id/app_keysCritical (9.6)
CyrexStored cross-site script when creating an appCritical (9.6)
AnonymousNo rate limiting on https://status.ably.com/admin/loginCritical (9.1)
AnonymousBroken authentication: Non Admin User in team Able to Invite other Users To TeamHigh (9)
AnonymousWebsite privilege escalation - incorrect rights validationHigh (8.8)
Anonymous2FA BypassHigh (8.8)
Anonymous[email protected] Pre-account TakeoverHigh (8.8)
AnonymousXSS in API key leads to account takeoverHigh (8.8)
AnonymousBroken Authentication and Session ManagementHigh (8.8)
AnonymousNo Password Authentication on Changing Email Address Leads to Account takeoverHigh (8.8)
AnonymousUnverified user email allows account squattingHigh (8.8)
AnonymousIDOR to add any product to your subscription (Get invitation for any product)High (8.8)
Emad ShanabStored XSS via angular js injection in town/city parameter.High (8.7)
Emad ShanabA XSS vulnerability in ably.com/searchHigh (8.4)
Eugen LagueStored XSS vulnerability in websiteHigh (8.4)
Eugen LagueStored XSS in stream name which can lead to account takeoverHigh (8.4)
Eugen LagueAttacker can impersonate victim's MFA device and 2FA codesHigh (8.1)
Eugen LagueLack of rate limit on 2FA code allows bypassing of 2FA protectionHigh (8.1)
Eugen LagueIDOR normal user update name of namespace across accountsHigh (8.1)
Eugen LagueStored XSS in AMQP URL via Integration Rules.High (8.1)
AnonymousExisting sessions remain active after setting up MFAHigh (8)
AnonymousSms verification bypass by response manipulationHigh (7.5)
AnonymousUser retains admin rights (hidden) post delete and recreateHigh (7.2)
Mister ValdezzUser retains admin rights (hidden) post delete and recreateHigh (7.2)
Shesha Sai CPrivilege escalation via invitation disclosure and lack of email verificationHigh (7.1)
John Michael MondillaUtm_source allows external redirectsHigh (7.1)
John Michael MondillaRemoved admin user is still able to create new app and others via Control APIMedium (6.8)
John Michael MondillaAngularJS injectionMedium (6.8)
John Michael MondillaStored XSS in the error message when you invite an existing user to the same productMedium (6.8)
John Michael Mondillapassword reset token is sharing to third parties in reference headerMedium (6.8)
John Michael MondillaDelete Queues as standard userMedium (6.6)
John Michael MondillaCross-Domain leakage of invitation codesMedium (6.6)
John Michael MondillaPrivilege Escalation Leads to Add/Delete SubscriptionsMedium (6.5)
John Michael MondillaA Standard user is able to delete an app with view only privilegeMedium (6.5)
John Michael MondillaA standard user can view details of the owner's consumer Integration rules via API request.Medium (6.5)
Eugen LagueBilling Role PermissionsMedium (6.5)
John Michael MondillaA standard user has the privilege to manage and edit the api streamer profile (consumer and producer)Medium (6.3)
John Michael MondillaPrivilege escalation - standard user can edit an API Streamer productMedium (6.3)
Kabeer SaxenaAccount Takeover via Stored XSS in Channel's client IDMedium (6.3)
AnonymousNo rate limit in password reset functionMedium (6.3)
Anonymousably-asset-tracking-js vulnerable to "dependency confusion" attackMedium (6.3)
AnonymousStored XSS in Dev consoleMedium (6.1)
Michael NessOpen Redirect Vulnerability on rest-admin.ably.ioMedium (6.1)
Michael NessAdmin user can edit app rule with ordinary user's cookiesMedium (6.1)
AnonymousOpen redirect on jsbin.ably.com SubdomainMedium (5.8)
AnonymousGit Plugin up to 4.11.3 on Jenkins Build Authorization CVE-2022-36883 on ci.ably.ioMedium (5.8)
AnonymousAccount deletion via social engineeringMedium (5.7)
AnonymousGrafana 7.5.6 exposing data, needs patchingMedium (5.6)
AnonymousStored XSS in Company details via website URL which can lead to account takeover.Medium (5.5)
Qasim ShahPassword and phone verification bypass changing 2FAMedium (5.4)
AnonymousStandard user can create a new product and a new subscription on api streamer producerMedium (5.4)
AnonymousOpen redirect bypass in utm_sourceMedium (5.4)
AnonymousSubdomain Takeover - http://eu-west-1c-cron.ably.io/mikey96.htmlMedium (5.4)
AnonymousFile upload blind ssrfMedium (5.4)
AnonymousVulnerability Report: Subdomain takeover of us-east-1e-cassandra.ably.ioMedium (5.4)
Rishabh Lalchand PardeshiSubdomain takeover of eu-west-1c-cassandra-dev.ably.ioMedium (5.4)
AnonymousDOM XSS on Ably Docs siteMedium (5.4)
AnonymousImproper access control - A standard user can unsubscribe the account owner to a subscription.Medium (5.4)
AnonymousA standard user can change the owner's account settings.Medium (5.4)
Suday Sanjay ChalkeOpen Redirect VulnerabilityMedium (5.3)
Mr. WickHTML INJECTION AND OPEN REDIRECTIONMedium (5.3)
FinceVulnerability in website (Improper access (ghost))Medium (5.3)
Anonymousapp_queues API endpoint (app ID OFotlw) has no authorisationMedium (5.3)
Michael NessHTML Injection and Open Redirect (realtime.ably.io)Medium (5.3)
AnonymousInvite user feature will expose any user's nameMedium (5.3)
AnonymousWebsite script injection - API streamer form value escapingMedium (5.3)
AnonymousNo rate limit protection on admin login pageMedium (5.3)
AnonymousOpen redirect bypass in utm_source parameterMedium (5.3)
AnonymousRate limit bypass using X-Forwarded-For headerMedium (5.3)
Sahil MoreVulnerability in WebsiteMedium (5.3)
Judy MagleoOAuth bypass (multiple OAuths)Medium (4.7)
AnonymousXSS issue via the referer headerMedium (4.7)
AnonymousSubdomain takeover of staging-d-fallback.ably-realtime.comMedium (4.6)
Emad ShanabLocust allows public access with default username and passwordMedium (4.6)
Farras GivariXSS vulnerability Message Read ReceiptsMedium (4.6)
AnonymousCache control issue on ably.comMedium (4.6)
AnonymousBroken Access Control Leads To Violation Of Security Design PrincipleMedium (4.5)
AnonymousDisable your 2FA without password check after changing passwordMedium (4.4)
r3v0lut10n4rySubdomain takeover of eu-west-1a-stats.ably.ioMedium (4.3)
AnonymousStandard User able to unsubscribesMedium (4.3)
AnonymousStandard User able to delete/disable ProductMedium (4.3)
AnonymousNon admin user can edit channel rules (Broken Access Control)Medium (4.3)
AnonymousStored XSS in account address line 1 and line 2 via AngularJS injection.Medium (4.3)
r3v0lut10n4ryHTML Injection via create profile producer or consumerMedium (4.3)
AnonymousNo-rate-limit on admin login pageMedium (4.3)
Mohd AliDangling DNS RecordMedium (4.3)
AnonymousSecond 2FA entry on same authorisation app invalidates the firstMedium (4.1)
AnonymousPrivilege Escalation will lead to a Standard User able to add Channel RuleMedium (4.1)
AnonymousMissing rate limit on create new appLow (3.8)
Ariel RachamimSubdomain TakeoverLow (3.1)
Ariel Rachamim + Omri InbarSubdomain TakeoverLow (3.1)
Prethy MDangling DNS RecordLow (3.1)
AnonymousXSS Issue When creating a channelLow (2.7)
John Michael MondillaImproper access control - An account admin can change the payment methodLow (2.7)
AnonymousSSL Certificate ExpiredLow (2.7)
AnonymousUnrestricted Access to Prometheus MetricsLow (2.7)
AnonymousCreating apps with same name via race conditionLow (2.7)
AnonymousQueue limit bypassLow (2.7)
AnonymousMisconfiguration when exceeding the number of api keys leads to prevention of creating keysLow (2.7)
AnonymousAbility to create a un deletable/editable api keys due to non characters limit flaw .Low (2.4)
AnonymousCreating uneditable channel rulesLow (2.4)
AnonymousMalicious users can re enable the deleted app via control apiLow (2.4)
AnonymousStored XSS in New subscribersLow (2.4)