Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
30/06/2015
Western Union logo
Thanks
Gift
Hall of Fame
Reward

Reward

100 $ 

In Scope

Scope Type Scope Name
android_application Western Union Android app (link below)
ios_application Western Union iOS app (link below)
web_application www.speedpay.com
web_application payments.westernunion.com
web_application https://www.westernunion.com
web_application https://www2.westernunion.com
web_application https://www.westernunion.fr
web_application https://www.westernunion.de
web_application https://www.westernunion.no
web_application https://www.westernunion.se
web_application https://www.westernunion.ca
web_application https://www.westernunion.nl
web_application https://www.westernunion.es
web_application https://www.westernunion.ie
web_application https://www.westernunion.ch
web_application https://www.westernunion.pt
web_application https://www.westernunion.be
web_application https://www.westernunion.dk
web_application https://www.westernunion.fi
web_application https://www.westernunion.pl
web_application https://www.westernunion.ee
web_application https://www.westernunion.lu
web_application https://www.westernunion.gr
web_application https://www.westernunion.at
web_application https://www.westernunion.it
web_application https://www.westernunion.co.nz
web_application https://www.westernunion.co.uk
web_application https://www.westernunion.com.au
web_application https://cuba.westernunion.com
web_application https://egypt.westernunion.com
web_application https://hk.westernunion.com
web_application https://india.westernunion.com
web_application https://jamaica.westernunion.com
web_application https://locations.westernunion.com
web_application https://m.westernunion.com
web_application https://senegal.westernunion.com
web_application https://sg.westernunion.com
web_application https://wuagentportal.westernunion.com
web_application https://agentportal.westernunion.com
web_application https://paynow7.speedpay.com/
web_application https://paynow40.speedpay.com
web_application https://westernunionbank.com
web_application https://ebanking.westernunionbank.com
web_application https://auth.globalpay.westernunion.com
web_application http://globalpay.westernunion.com
web_application payee.globalpay.westernunion.com
web_application https://gpfi.globalpay.westernunion.com
web_application transvision.westernunion.com
web_application partnernet.westernunion.com
web_application www.wuprepaid.de
web_application iwgo.westernunion.com
web_application https://business.westernunion.com/
web_application http://agenttraining.westernunion.com
web_application https://paymentstatus.westernunion.com
web_application https://foundation.westernunion.com
web_application https://partners.westernunion.com
web_application wucare.westernunion.com
web_application secure.westernunion.com
web_application corporate.westernunion.com
web_application https://www.wuprepaid.at/
web_application https://onlinefx.westernunion.com/
web_application https://online.westernunion.com/mp.en/pages/loginform.aspx
web_application www.wuedge.com
web_application trackpayments.westernunion.com
web_application masspay.api.westernunion.com
web_application wuinsights.westernunion.com
web_application remoteaccess.westernunion.com
web_application secureauth.westernunion.com

Out of Scope

Scope Type Scope Name
web_application https://www.inmateservices.westernunion.com
web_application Any asset not listed above as 'In Scope'
web_application https://rewardcircle.westernunion.com

Western Union

Western Union is a financial services and communications company based in the United States.

In general, Western Union adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization of findings, but they do reserve the right to alter priority on a case-by-case basis. Any submission where the priority is altered will be accompanied by an explanation from the Western Union team.

Note on special domains: The following transaction/core domains below will have higher rewards due to their sensitivity:

  • https://www.westernunion.com
  • https://ebanking.westernunionbank.com
  • https://paynow7.speedpay.com
  • https://paynow40.speedpay.com
  • payee.globalpay.westernunion.com
  • partnernet.westernunion.com

Targets

In scope

Target name | Type
---|---
www.speedpay.com | Website
payments.westernunion.com | Website
<https://www.westernunion.com> | Other
https://www2.westernunion.com | Other
<https://www.westernunion.fr> | Other
<https://www.westernunion.de> | Other
<https://www.westernunion.no> | Other
<https://www.westernunion.se> | Other
<https://www.westernunion.ca> | Other
<https://www.westernunion.nl> | Other
<https://www.westernunion.es> | Other
<https://www.westernunion.ie> | Other
<https://www.westernunion.ch> | Other
<https://www.westernunion.pt> | Other
<https://www.westernunion.be> | Other
<https://www.westernunion.dk> | Other
<https://www.westernunion.fi> | Other
<https://www.westernunion.pl> | Other
<https://www.westernunion.ee> | Other
<https://www.westernunion.lu> | Other
<https://www.westernunion.gr> | Other
<https://www.westernunion.at> | Other
<https://www.westernunion.it> | Other
<https://www.westernunion.co.nz> | Other
<https://www.westernunion.co.uk> | Other
<https://www.westernunion.com.au> | Other
<https://cuba.westernunion.com> | Other
<https://egypt.westernunion.com> | Other
<https://hk.westernunion.com> | Other
<https://india.westernunion.com> | Other
<https://jamaica.westernunion.com> | Other
<https://locations.westernunion.com> | Other
<https://m.westernunion.com> | Other
<https://senegal.westernunion.com> | Other
<https://sg.westernunion.com> | Other
<https://wuagentportal.westernunion.com> | Website
<https://agentportal.westernunion.com> | Website
<https://paynow7.speedpay.com/> | Website
<https://paynow40.speedpay.com> | Website
<https://westernunionbank.com> | Website
<https://ebanking.westernunionbank.com> | Website
<https://auth.globalpay.westernunion.com> | Website
<http://globalpay.westernunion.com> | Website
payee.globalpay.westernunion.com | Website
<https://gpfi.globalpay.westernunion.com> | Website
transvision.westernunion.com | Website
partnernet.westernunion.com | Website
www.wuprepaid.de | Website
iwgo.westernunion.com | Website
<https://business.westernunion.com/> | Website
<http://agenttraining.westernunion.com> | Website
<https://paymentstatus.westernunion.com> | Website
<https://foundation.westernunion.com> | Website
https://partners.westernunion.com | Website
wucare.westernunion.com | Website
secure.westernunion.com | Website
corporate.westernunion.com | Website
<https://www.wuprepaid.at/> | Website
<https://onlinefx.westernunion.com/> | Website
<https://online.westernunion.com/mp.en/pages/loginform.aspx> | Website
Western Union iOS app (link below) | iOS
Western Union Android app (link below) | Android
www.wuedge.com | Website
trackpayments.westernunion.com | Website
masspay.api.westernunion.com | Website
wuinsights.westernunion.com | Website
remoteaccess.westernunion.com | Website
secureauth.westernunion.com | Website

Out of scope

Target name | Type
---|---
<https://www.inmateservices.westernunion.com> | Other
Any asset not listed above as 'In Scope' | Website
<https://rewardcircle.westernunion.com> | Website

Any domain/property of Western Union not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to find an issue on a domain/property that is not listed above, please submit it to our kudos program: Here

For this program, researchers are invited to test the production builds of the Western Union mobile app, both for Android and iOS, as well as the applicable API calls utilized by these applications. Researchers are free to self- provision accounts as needed - however, it's important to note that no testing credit cards or refunds for purchases can or will be provided by Western Union at this time - please be aware of this and either immediately cancel any orders, or only transfer small denominations of currency.

Access:

The production build of the iOS app can be downloaded here
The production build of the Android app can be downloaded here
API documentation (or at least a list of endpoints utilized by the mobile apps) is available here
Please note that @bugcrowdninja.com email addresses may not work when registering for an account. In the case of this program, feel free to use your testing gmail, or whatever is most expedient for your testing purposes.

Additional Information/Rules of Engagement:

  • Assets in the scope above are variations on a core web application handling all requests, as such, security issues reproduced in one domain will be reproducible in other domains, making them a single core issue and only worth a single reward.
  • Submissions of a P1-P2 rating must include a working attack scenario to be eligible for a reward. etc/passwd instead of web.inf for example.

Updates:

10/5/18 - JSON, JS and CSS will not be rewarded or marked as out of scope. Reflected XSS will be marked as p4 and stored XSS as P3.

5/24/18 - both www.speedpay.com payments.westernunion.com are now in-scope targets for the program.

7/10/18 - wuagentportal.westernunion.com, agentportal.westernunion.com, and paynow7.speedpay.com are now in-scope targets for the program.

Focus Areas:

  • Send Money / Track Transfer pages
  • We are most interested in vulnerabilities on our core platform and infrastructure
  • Ability to remotely gain access to other user's PCI Details (Credit card, CVV, etc)
  • Ability to remotely gain access to other user's PII Details (First name, last name ,payment information’s , etc)
  • Remote Code Execution
  • Significant Authentication Bypass
  • Exfiltration of Sensitive Data or PII or PCI or MTCN
  • Remote Unauthorized Access to full WU database

Out of Scope

  • Do not perform DoS or DDoS attacks.
  • Do not in any way attack our end users, or engage in the trade of stolen/breached user credentials.
  • Do NOT conduct non-technical attacks such as social engineering, phishing or unauthorized access to Infrastructure.
  • Do NOT use automated scanners and tools.

The following finding types are specifically excluded from the bounty:

  • 3rd Party Clients (e.g. WordPress). If you are unsure whether or not a client is 3rd party, please check with us.
  • Re-posting of vendor notices for platform updates
  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • Self-XSS and issues exploitable only through Self-XSS.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Findings derived from SSL settings (e.g. BREACH attack, insecure SSL ciphers enabled).
  • Lack of Secure and HTTPOnly cookie flags.
  • Lack of Security Speedbump when leaving the site.
  • Username Enumeration
  • Visible Detailed Error/Debug Page - Detailed Server Configuration

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

FireBounty © 2015-2019

Legal notices