Top 25 Race Condition Bug Bounty Reports
In this article, we will discuss Race Condition vulnerability, how to find one, and present 25 disclosed reports based on this issue.
What is Race Condition?
According to OWASP:
“A race condition is a flaw that produces an unexpected result when the timing of actions impact other actions. An example may be seen on a multithreaded application where actions are being performed on the same data. Race conditions, by their very nature, are difficult to test for.”
In other words, race conditions are triggered when users unintentionally (impatient users) or intentionally (malicious actors) are tampering with application functionality timings, for example, sending a request at the same time by clicking very fast on a button.
Not only they are difficult to find in the wild, but also hard to detect.
How to test for Race Conditions
Usually, race conditions can affect applications that apply mathematical functions like add and subtract, for example money transfers, modifying a product price by applying a gift card or discount voucher, and so on.
User must tamper with the sequence of the events in order to find a race condition vulnerability, like applying the same discount code twice at the same moment, which will result in subtracting the same amount multiplied by two, but this depends very much on the back-end environment. It will occur mostly in multi-threaded applications. In our example, two threads would be trying to modify the shared piece of data (the product price) at the same time.
Top 25 Race Conditions Bug Bounty Reports
The reports were disclosed through the HackerOne platform and were selected according to their upvotes, bounty, severity level, complexity, and uniqueness.
#1
Title: Race condition in workers may cause an exploitable double free by abusing bytearray.compress()
Company: Flash (IBB)
Bounty: $10,000
#2
Title: Race condition in Flash workers may cause an exploitable double free
Company: Flash (IBB)
Bounty: $10,000
#3
Title: Race Conditions in OAuth 2 API implementations
Company: The Internet
Bounty: $2,500
#4
Title: Race condition in performing retest allows duplicated payments
Company: HackerOne
Bounty: $2,100
#5
Title: Adobe Flash Player Race Condition Vulnerability
Company: Flash (IBB)
Bounty: $2,000
#6
Title: Race condition in activating email resulting in infinite amount of diamonds received
Company: InnoGames
Bounty: $2,000
#7
Title: Race Condition allows to redeem multiple times gift cards which leads to free “money”
Company: Reverb.com
Bounty: $1,500
#8
Title: Client-Side Race Condition using Marketo, allows sending user to data-protocol in Safari when form without onSuccess is submitted on www.hackerone.com
Company: HackerOne
Bounty: $1,250
#9
Title: Race condition на market.games.mail.ru
Company: Mail.ru
Bounty: $1,000
#10
Title: Race condition leads to duplicate payouts
Company: Hackerone
Bounty: $750
#11
Title: Race Condition Vulnerability On Pornhubpremium.com
Company: PornHub
Bounty: $520
#12
Title: Race Condition leads to undeletable group member
Company: HackerOne
Bounty: $500
#13
Title: Race Conditions in Popular reports feature.
Company: HackerOne
Bounty: $500
#14
Title: Race Condition in Flag Submission
Company: HackerOne
Bounty: $500
#15
Title: Race condition in claiming program credentials
Company: HackerOne
Bounty: $500
#16
Title: Race condition at create new Location
Company: Shopify
Bounty: $500
Link: Race condition at create new Location
#17
Title: race condition in adding team members
Company: Shopify
Bounty: $500
#18
Title: Race condition (TOCTOU) in NordVPN can result in local privilege escalation
Company: NordVPN
Bounty: $500
#19
Title: Register multiple users using one invitation (race condition)
Company: Keybase
Bounty: $350
#20
Title: Race conditions can be used to bypass invitation limit
Company: Keybase
Bounty: $350
#21
Title: Race condition when redeeming coupon codes
Company: Dropbox
Bounty: $216
#22
Title: Race Condition in Redeeming Coupons
Company: Instacart
Bounty: $200
#23
Title: Race Condition in account survey
Company: Slack
Bounty: $150
#24
Title: Bypass subdomain limits using race condition
Company: Charturbate
Bounty: $100
#25
Title: Race condition allowing user to review app multiple times
Company: Coinbase
Bounty: $100
Bonus: 5 Zero Dollars Race Conditions Reports
#1
Title: Race Condition : Exploiting the loyalty claim https://xxx.vendhq.com/loyalty/claim/email/xxxxx url and gain x amount of loyalty bonus/cash
Company: Vend VDP
Bounty: $0
#2
Title: JSBeautifier BApp: Race condition leads to memory disclosure
Company: PortSwigger Web Security
Bounty: $0
#3
Title: Race condition in GitLab import, giving access to other people their imports due to filename collision
Company: GitLab
Bounty: $0
#4
Title: Race Condition in Definition Votes
Company: Urban Dictionary
Bounty: $0
#5
Title: Race Conditions Exist When Accepting Invitations
Company: HackerOne
Bounty: $0
I would like to thank you for your time and please stay safe!
