Ably Bug Bounty Acknowledgements
Copy link to clipboard
Thank you.
Copy link to clipboard
Your security contribution matters.
We take security seriously, for our clients and our products, so we appreciate the lengths you went to in submitting your findings.
We have rewarded over 60 bounties to 30 researchers in the 18 months our Bug Bounty program has been running this is a complete list of all our successful researchers. Please bear in mind when reporting a vulnerability that not all the findings below have been remediated yet.
| Researcher | Vulnerability | Severity (CVSS) |
|---|---|---|
| Anonymous | Remote code execution via the website pricing calculator | Critical (10) |
| Cyrex | IDOR to Delete Anyone's Queues | Critical (9.6) |
| Cyrex | Standard User is able to configure API data on accounts/:id/apps/:id/app_keys | Critical (9.6) |
| Cyrex | Stored cross-site script when creating an app | Critical (9.6) |
| Anonymous | No rate limiting on https://status.ably.com/admin/login | Critical (9.1) |
| Anonymous | Broken authentication: Non Admin User in team Able to Invite other Users To Team | High (9) |
| Anonymous | Website privilege escalation - incorrect rights validation | High (8.8) |
| Anonymous | 2FA Bypass | High (8.8) |
| Anonymous | [email protected] Pre-account Takeover | High (8.8) |
| Anonymous | XSS in API key leads to account takeover | High (8.8) |
| Anonymous | Broken Authentication and Session Management | High (8.8) |
| Anonymous | No Password Authentication on Changing Email Address Leads to Account takeover | High (8.8) |
| Anonymous | Unverified user email allows account squatting | High (8.8) |
| Anonymous | IDOR to add any product to your subscription (Get invitation for any product) | High (8.8) |
| Emad Shanab | Stored XSS via angular js injection in town/city parameter. | High (8.7) |
| Emad Shanab | A XSS vulnerability in ably.com/search | High (8.4) |
| Eugen Lague | Stored XSS vulnerability in website | High (8.4) |
| Eugen Lague | Stored XSS in stream name which can lead to account takeover | High (8.4) |
| Eugen Lague | Attacker can impersonate victim's MFA device and 2FA codes | High (8.1) |
| Eugen Lague | Lack of rate limit on 2FA code allows bypassing of 2FA protection | High (8.1) |
| Eugen Lague | IDOR normal user update name of namespace across accounts | High (8.1) |
| Eugen Lague | Stored XSS in AMQP URL via Integration Rules. | High (8.1) |
| Anonymous | Existing sessions remain active after setting up MFA | High (8) |
| Anonymous | Sms verification bypass by response manipulation | High (7.5) |
| Anonymous | User retains admin rights (hidden) post delete and recreate | High (7.2) |
| Mister Valdezz | User retains admin rights (hidden) post delete and recreate | High (7.2) |
| Shesha Sai C | Privilege escalation via invitation disclosure and lack of email verification | High (7.1) |
| John Michael Mondilla | Utm_source allows external redirects | High (7.1) |
| John Michael Mondilla | Removed admin user is still able to create new app and others via Control API | Medium (6.8) |
| John Michael Mondilla | AngularJS injection | Medium (6.8) |
| John Michael Mondilla | Stored XSS in the error message when you invite an existing user to the same product | Medium (6.8) |
| John Michael Mondilla | password reset token is sharing to third parties in reference header | Medium (6.8) |
| John Michael Mondilla | Delete Queues as standard user | Medium (6.6) |
| John Michael Mondilla | Cross-Domain leakage of invitation codes | Medium (6.6) |
| John Michael Mondilla | Privilege Escalation Leads to Add/Delete Subscriptions | Medium (6.5) |
| John Michael Mondilla | A Standard user is able to delete an app with view only privilege | Medium (6.5) |
| John Michael Mondilla | A standard user can view details of the owner's consumer Integration rules via API request. | Medium (6.5) |
| Eugen Lague | Billing Role Permissions | Medium (6.5) |
| John Michael Mondilla | A standard user has the privilege to manage and edit the api streamer profile (consumer and producer) | Medium (6.3) |
| John Michael Mondilla | Privilege escalation - standard user can edit an API Streamer product | Medium (6.3) |
| Kabeer Saxena | Account Takeover via Stored XSS in Channel's client ID | Medium (6.3) |
| Anonymous | No rate limit in password reset function | Medium (6.3) |
| Anonymous | ably-asset-tracking-js vulnerable to "dependency confusion" attack | Medium (6.3) |
| Anonymous | Stored XSS in Dev console | Medium (6.1) |
| Michael Ness | Open Redirect Vulnerability on rest-admin.ably.io | Medium (6.1) |
| Michael Ness | Admin user can edit app rule with ordinary user's cookies | Medium (6.1) |
| Anonymous | Open redirect on jsbin.ably.com Subdomain | Medium (5.8) |
| Anonymous | Git Plugin up to 4.11.3 on Jenkins Build Authorization CVE-2022-36883 on ci.ably.io | Medium (5.8) |
| Anonymous | Account deletion via social engineering | Medium (5.7) |
| Anonymous | Grafana 7.5.6 exposing data, needs patching | Medium (5.6) |
| Anonymous | Stored XSS in Company details via website URL which can lead to account takeover. | Medium (5.5) |
| Qasim Shah | Password and phone verification bypass changing 2FA | Medium (5.4) |
| Anonymous | Standard user can create a new product and a new subscription on api streamer producer | Medium (5.4) |
| Anonymous | Open redirect bypass in utm_source | Medium (5.4) |
| Anonymous | Subdomain Takeover - http://eu-west-1c-cron.ably.io/mikey96.html | Medium (5.4) |
| Anonymous | File upload blind ssrf | Medium (5.4) |
| Anonymous | Vulnerability Report: Subdomain takeover of us-east-1e-cassandra.ably.io | Medium (5.4) |
| Rishabh Lalchand Pardeshi | Subdomain takeover of eu-west-1c-cassandra-dev.ably.io | Medium (5.4) |
| Anonymous | DOM XSS on Ably Docs site | Medium (5.4) |
| Anonymous | Improper access control - A standard user can unsubscribe the account owner to a subscription. | Medium (5.4) |
| Anonymous | A standard user can change the owner's account settings. | Medium (5.4) |
| Suday Sanjay Chalke | Open Redirect Vulnerability | Medium (5.3) |
| Mr. Wick | HTML INJECTION AND OPEN REDIRECTION | Medium (5.3) |
| Fince | Vulnerability in website (Improper access (ghost)) | Medium (5.3) |
| Anonymous | app_queues API endpoint (app ID OFotlw) has no authorisation | Medium (5.3) |
| Michael Ness | HTML Injection and Open Redirect (realtime.ably.io) | Medium (5.3) |
| Anonymous | Invite user feature will expose any user's name | Medium (5.3) |
| Anonymous | Website script injection - API streamer form value escaping | Medium (5.3) |
| Anonymous | No rate limit protection on admin login page | Medium (5.3) |
| Anonymous | Open redirect bypass in utm_source parameter | Medium (5.3) |
| Anonymous | Rate limit bypass using X-Forwarded-For header | Medium (5.3) |
| Sahil More | Vulnerability in Website | Medium (5.3) |
| Judy Magleo | OAuth bypass (multiple OAuths) | Medium (4.7) |
| Anonymous | XSS issue via the referer header | Medium (4.7) |
| Anonymous | Subdomain takeover of staging-d-fallback.ably-realtime.com | Medium (4.6) |
| Emad Shanab | Locust allows public access with default username and password | Medium (4.6) |
| Farras Givari | XSS vulnerability Message Read Receipts | Medium (4.6) |
| Anonymous | Cache control issue on ably.com | Medium (4.6) |
| Anonymous | Broken Access Control Leads To Violation Of Security Design Principle | Medium (4.5) |
| Anonymous | Disable your 2FA without password check after changing password | Medium (4.4) |
| r3v0lut10n4ry | Subdomain takeover of eu-west-1a-stats.ably.io | Medium (4.3) |
| Anonymous | Standard User able to unsubscribes | Medium (4.3) |
| Anonymous | Standard User able to delete/disable Product | Medium (4.3) |
| Anonymous | Non admin user can edit channel rules (Broken Access Control) | Medium (4.3) |
| Anonymous | Stored XSS in account address line 1 and line 2 via AngularJS injection. | Medium (4.3) |
| r3v0lut10n4ry | HTML Injection via create profile producer or consumer | Medium (4.3) |
| Anonymous | No-rate-limit on admin login page | Medium (4.3) |
| Mohd Ali | Dangling DNS Record | Medium (4.3) |
| Anonymous | Second 2FA entry on same authorisation app invalidates the first | Medium (4.1) |
| Anonymous | Privilege Escalation will lead to a Standard User able to add Channel Rule | Medium (4.1) |
| Anonymous | Missing rate limit on create new app | Low (3.8) |
| Ariel Rachamim | Subdomain Takeover | Low (3.1) |
| Ariel Rachamim + Omri Inbar | Subdomain Takeover | Low (3.1) |
| Prethy M | Dangling DNS Record | Low (3.1) |
| Anonymous | XSS Issue When creating a channel | Low (2.7) |
| John Michael Mondilla | Improper access control - An account admin can change the payment method | Low (2.7) |
| Anonymous | SSL Certificate Expired | Low (2.7) |
| Anonymous | Unrestricted Access to Prometheus Metrics | Low (2.7) |
| Anonymous | Creating apps with same name via race condition | Low (2.7) |
| Anonymous | Queue limit bypass | Low (2.7) |
| Anonymous | Misconfiguration when exceeding the number of api keys leads to prevention of creating keys | Low (2.7) |
| Anonymous | Ability to create a un deletable/editable api keys due to non characters limit flaw . | Low (2.4) |
| Anonymous | Creating uneditable channel rules | Low (2.4) |
| Anonymous | Malicious users can re enable the deleted app via control api | Low (2.4) |
| Anonymous | Stored XSS in New subscribers | Low (2.4) |