Hack and Take the Cash !

716 bounties in database


50 $


About the company

BlaBlaCar is the world leader in long-distance carpooling. We are an innovative and fast-growing company building a unique community of members to transform the way people travel!

Since 2013, BlaBlaCar has grown exponentially and we’re now a community of over 40 millions members in more than 20 countries. Thus, we need to keep our member’s privacy and data secure.

Reporting & Disclosure Policy

BlaBlaCar believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our products or services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Please avoid DDOSing us or causing a service disruption while testing our platform. And take care of not endangering the privacy or our members.
Do not try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.

Domains in the scope of this program

All localized versions of our website.

Domains Domains
https://www.blablacar.cz https://www.blablacar.com.ua
https://www.blablacar.de https://m.blablacar.de
https://www.blablacar.co.uk https://m.blablacar.co.uk
https://www.blablacar.in https://m.blablacar.in
https://www.blablacar.es https://m.blablacar.es
https://www.blablacar.mx https://m.blablacar.mx
https://www.fr.blablacar.be https://m.fr.blablacar.be
https://www.blablacar.fr https://m.blablacar.fr
https://www.blablacar.hr https://m.blablacar.hr
https://www.blablacar.hu https://m.blablacar.hu
https://www.blablacar.it https://m.blablacar.it
https://www.nl.blablacar.be https://m.nl.blablacar.be
https://www.blablacar.nl https://m.blablacar.nl
https://www.blablacar.pl https://m.blablacar.pl
https://www.blablacar.com.br https://m.blablacar.com.br
https://www.blablacar.pt https://m.blablacar.pt
https://www.blablacar.ro https://m.blablacar.ro
https://www.blablacar.ru https://m.blablacar.ru
https://www.sk.blablacar.com https://m.sk.blablacar.com
https://www.rs.blablacar.gg https://m.rs.blablacar.gg
https://www.blablacar.com.tr https://m.blablacar.com.tr
https://www.blablacar.com.ua https://m.blablacar.com.ua

Our api https://api.blablacar.com

Our Android Application

Our IOS Application

Please note that https://dev.blablacar.com is hosted by a third party and thus is out of scope.

Scopes of the program

* Cross-Site Scripting (XSS), Cross-site Request Forgery (CSRF), Server-Side Request Forgery (SSRF)
* Missing "secure" flags on authentication cookies (PHPSESSID, blablacar_token)
* Sensitive members information exposure except during a usual trip flow
* SQL Injection
* Remote Code Execution (RCE)
* Access Control Issues (Insecure Direct Object Reference issues, etc.)
* Directory Traversal Issues
* Local File Disclosure (LFD)
* Finding numeric user id (even yours)
* Decrypting this: a1eb77ff94d12fa7s42lHZ1RBvYYQ8YD1h1bOVA82wORD2w1coIyeTJflqo=
* Decrypting this: 0A5CRg99Df2muBSoXijzv-4kwhEsZSw1oA3UMnTWfq0

What are sensitive member information: lastname, phone number (except after booking a trip), email, physical address, license plate, physical id copy.

High target value

Bounties are doubled if the vulnerability:

* affect the API: you can either proxify your mobile and use the app, or create a client id and access the doc at https://dev.blablacar.com
* affect the payment, whatever the nature of the vulnerability
* affect our encryption strategies

Ineligible reports

* Any hypothetical flaw or best practices without exploitable POC
* Login, logout, unauthenticated or low-value CSRF
* Unverified results of automated tools or scanners
* Social engineering (including phishing) of BlaBlaCar staff or contractors
* Any physical attempts against BlaBlaCar offices or data centers
* Missing security-related HTTP headers which do not lead directly to a vulnerability
* Presence/absence of SPF/DMARC records
* Presence of autocomplete attribute on web forms
* Vulnerabilities affecting users of outdated browsers and platforms
* Self XSS
* Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept)
* Mixed content warnings
* Brute force / password reuse attacks
* User enumeration attacks
* Premium phone numbers attacks
* Denial of service
* Missing cookie flags on non-sensitive cookies
* Attacks requiring physical access to a user's device
* Disclosure of known public files or directories, (e.g. robots.txt)
* Massive automated actions on the platform through robots/crawling (except if it gathers sensitive information from members)
* Finding ways to give ratings to members without actually travelling with them
* Lack of context on SMS containing a code sent to members
* Persistent login cookie weaknesses
* Everything related to our external partner Datadome and its scrapping protection
* Errors thrown by nginx when the request were invalid / fuzzing
* Security issues related to our wordpress blog
* Sell/ransom user information taken from password reuse or other attacks

Notes about the wordpress blog:

* most of its paths begin with /blablalife, but there's also /press and others in different languages
* you can also check its source code (as wordpress keyword is everywhere) if you have any doubt

However, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code, we will reward you with a bounty.

Change log: 18/09/2017
add ineligible report: Errors thrown by nginx when the request were invalid / fuzzing


Hall of Fame

List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2016