Banner object (1)

Hack and Take the Cash !

684 bounties in database
23/04/2018

Reward

50 € 

Bug Bounty Program - BlaBlaCar

Rules

Bug Bounty Program - BlaBlaCar

About the company

BlaBlaCar is the world leader in long-distance carpooling. We are an innovative and fast-growing company building a unique community of members to transform the way people travel!

Since 2013, BlaBlaCar has grown exponentially and we’re now a community of over 40 millions members in more than 20 countries. Thus, we need to keep our member’s privacy and data secure.

Reporting & Disclosure Policy

BlaBlaCar believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our products or services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Please avoid DDOSing us or causing a service disruption while testing our platform. And take care of not endangering the privacy or our members.
  • Do not try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.
  • If you find the same vulnerability several times, please create only one report and eventually use comments. You'll be rewarded accordingly to your findings.

Domains in the scope of this program

  • All localized versions of our website.

Domains | Domains
---|---
https://www.blablacar.cz | https://www.blablacar.com.ua
https://www.blablacar.de | https://m.blablacar.de
https://www.blablacar.co.uk | https://m.blablacar.co.uk
https://www.blablacar.in | https://m.blablacar.in
https://www.blablacar.es | https://m.blablacar.es
https://www.blablacar.mx | https://m.blablacar.mx
https://www.fr.blablacar.be | https://m.fr.blablacar.be
https://www.blablacar.fr | https://m.blablacar.fr
https://www.blablacar.hr | https://m.blablacar.hr
https://www.blablacar.hu | https://m.blablacar.hu
https://www.blablacar.it | https://m.blablacar.it
https://www.nl.blablacar.be | https://m.nl.blablacar.be
https://www.blablacar.nl | https://m.blablacar.nl
https://www.blablacar.pl | https://m.blablacar.pl
https://www.blablacar.com.br | https://m.blablacar.com.br
https://www.blablacar.pt | https://m.blablacar.pt
https://www.blablacar.ro | https://m.blablacar.ro
https://www.blablacar.ru | https://m.blablacar.ru
https://www.sk.blablacar.com | https://m.sk.blablacar.com
https://www.rs.blablacar.gg | https://m.rs.blablacar.gg
https://www.blablacar.com.tr | https://m.blablacar.com.tr
https://www.blablacar.com.ua | https://m.blablacar.com.ua

Please note that https://dev.blablacar.com is hosted by a third party and thus is out of scope.

Scopes of the program

  • Cross-Site Scripting (XSS), Cross-site Request Forgery (CSRF), Server-Side Request Forgery (SSRF)
  • Missing "secure" flags on authentication cookies (PHPSESSID, blablacar_token)
  • Sensitive members information exposure except during a usual trip flow
  • SQL Injection
  • Remote Code Execution (RCE)
  • Access Control Issues (Insecure Direct Object Reference issues, etc.)
  • Directory Traversal Issues
  • Local File Disclosure (LFD)
  • Finding numeric user id (even yours), in integer format (UUID4 user ids can be exposed).
  • Decrypting this: a1eb77ff94d12fa7s42lHZ1RBvYYQ8YD1h1bOVA82wORD2w1coIyeTJflqo=
  • Decrypting this: 0A5CRg99Df2muBSoXijzv-4kwhEsZSw1oA3UMnTWfq0
  • Exposure of internal tools (web apps showing metrics without authentication, development environments, etc)
  • Exposure of configuration files or secrets (from GitHub on blablacar (https://github.com/blablacar) or employee's opensource projects, etc)

What are sensitive member information: lastname, phone number (except after booking a trip), email, physical address, license plate, physical id copy.

High target value

Bounties are doubled if the vulnerability:

  • affect the API: you can either proxify your mobile and use the app, or create a client id and access the doc at https://dev.blablacar.com

  • affect the payment, whatever the nature of the vulnerability

  • affect our encryption strategies

Ineligible reports

  • Any hypothetical flaw or best practices without exploitable POC
  • Login, logout, unauthenticated or low-value CSRF
  • Unverified results of automated tools or scanners
  • Social engineering (including phishing) of BlaBlaCar staff or contractors
  • Any physical attempts against BlaBlaCar offices or data centers
  • Missing security-related HTTP headers which do not lead directly to a vulnerability
  • Presence/absence of SPF/DMARC records
  • Presence of autocomplete attribute on web forms
  • Vulnerabilities affecting users of outdated browsers and platforms
  • Self XSS
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept)
  • Mixed content warnings
  • Brute force / password reuse attacks
  • User enumeration attacks
  • Premium phone numbers attacks
  • Denial of service
  • Missing cookie flags on non-sensitive cookies (sensitive cookies are blablacar_token and PHPSESSID)
  • Attacks requiring physical access to a user's device
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • Massive automated actions on the platform through robots/crawling (except if it gathers sensitive information from members)
  • Finding ways to give ratings to members without actually travelling with them
  • Lack of context on SMS containing a code sent to members
  • Persistent login cookie weaknesses
  • Everything related to our external partner Datadome and its scrapping protection
  • Errors thrown by nginx when the request were invalid / fuzzing
  • Security issues related to our wordpress blog
  • Sell/ransom user information taken from password reuse or other attacks
  • Host injection, except if you can successfully forge a wrong URL or compromise something using it
  • CORS configuration, except if you can show a way to exploit this vulnerability to compromise sensitive information

Notes about the wordpress blog:

  • most of its paths begin with /blablalife, but there's also /press and others in different languages
  • you can also check its source code (as wordpress keyword is everywhere) if you have any doubt

However, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code, we will reward you with a bounty.

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2018