50€ Minimum bounty
Reports Accepted 117
Hunters thanked 50
Reward types : Bounty Gift Hall Of Fame
Bug Bounty Program - BlaBlaCar
About the company
BlaBlaCar is the world leader in long-distance carpooling. We are an innovative and fast-growing company building a unique community of members to transform the way people travel!
Since 2013, BlaBlaCar has grown exponentially and we’re now a community of over 40 millions members in more than 20 countries. Thus, we need to keep our member’s privacy and data secure.
Reporting & Disclosure Policy
BlaBlaCar believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our products or services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Please avoid DDOSing us or causing a service disruption while testing our platform. And take care of not endangering the privacy or our members.
- Do not try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.
- If you find the same vulnerability several times, please create only one report and eventually use comments. You'll be rewarded accordingly to your findings.
Domains in the scope of this program
- All localized versions of our website.
- Our api https://api.blablacar.com
Our Android Application
Our IOS Application
Please note that https://dev.blablacar.com is hosted by a third party and thus is out of scope.
Scopes of the program
- Cross-Site Scripting (XSS), Cross-site Request Forgery (CSRF), Server-Side Request Forgery (SSRF)
- Missing "secure" flags on authentication cookies (PHPSESSID, blablacar_token)
- Sensitive members information exposure except during a usual trip flow
- SQL Injection
- Remote Code Execution (RCE)
- Access Control Issues (Insecure Direct Object Reference issues, etc.)
- Directory Traversal Issues
- Local File Disclosure (LFD)
- Finding numeric user id (even yours), in integer format (UUID4 user ids can be exposed).
- Decrypting this: a1eb77ff94d12fa7s42lHZ1RBvYYQ8YD1h1bOVA82wORD2w1coIyeTJflqo=
- Decrypting this: 0A5CRg99Df2muBSoXijzv-4kwhEsZSw1oA3UMnTWfq0
- Exposure of internal tools (web apps showing metrics without authentication, development environments, etc)
- Exposure of configuration files or secrets (from GitHub on blablacar (https://github.com/blablacar) or employee's opensource projects, etc)
What are sensitive member information: lastname, phone number (except after booking a trip), email, physical address, license plate, physical id copy.
High target value
Bounties are doubled if the vulnerability:
affect the API: you can either proxify your mobile and use the app, or create a client id and access the doc at https://dev.blablacar.com
affect the payment, whatever the nature of the vulnerability
- affect our encryption strategies
- Any hypothetical flaw or best practices without exploitable POC
- Login, logout, unauthenticated or low-value CSRF
- Unverified results of automated tools or scanners
- Social engineering (including phishing) of BlaBlaCar staff or contractors
- Any physical attempts against BlaBlaCar offices or data centers
- Missing security-related HTTP headers which do not lead directly to a vulnerability
- Presence/absence of SPF/DMARC records
- Presence of autocomplete attribute on web forms
- Vulnerabilities affecting users of outdated browsers and platforms
- Self XSS
- Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept)
- Mixed content warnings
- Brute force / password reuse attacks
- User enumeration attacks
- Premium phone numbers attacks
- Denial of service
- Missing cookie flags on non-sensitive cookies (sensitive cookies are
- Attacks requiring physical access to a user's device
- Disclosure of known public files or directories, (e.g. robots.txt)
- Massive automated actions on the platform through robots/crawling (except if it gathers sensitive information from members)
- Finding ways to give ratings to members without actually travelling with them
- Lack of context on SMS containing a code sent to members
- Persistent login cookie weaknesses
- Everything related to our external partner Datadome and its scrapping protection
- Errors thrown by nginx when the request were invalid / fuzzing
- Security issues related to our wordpress blog
- Sell/ransom user information taken from password reuse or other attacks
- Host injection, except if you can successfully forge a wrong URL or compromise something using it
- CORS configuration, except if you can show a way to exploit this vulnerability to compromise sensitive information
Notes about the wordpress blog:
- most of its paths begin with /blablalife, but there's also /press and others in different languages
- you can also check its source code (as wordpress keyword is everywhere) if you have any doubt
However, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code, we will reward you with a bounty.
[2018-05-28 13:49:32 CEST]
Added two new kind of issues allowed in our scope:
- exposure of internal tools (metric web apps without authentication, exposed dev environments etc)
- exposure of configuration files (from wrongly configured web server, or from github opensource projects etc)
[2018-04-23 11:50:39 CEST]
Disambiguate "finding numeric user id".
Our user ids are available in 3 formats:
We don't want to expose user ids in the "integer" format.
[2018-04-20 16:43:52 CEST]
We've recently received many reports about host injection, thanks everyone for your dedication.
But no one were able to exploit it so far, in a way that compromise something (forge a wrong url, etc).
As we are migrating our platform we'll take care of this issue at the right time, and put host injection out of scope until proven dangerous for our members.
Also added details about what are "sensitive cookies" regarding cookie flags.
[2018-04-20 12:38:01 CEST]
We received many times several identical reports for the very same issue, but with just an URL that changes.
It is easier to manage all similar issues on the same ticket.
[2018-03-19 17:14:31 CET]
Clarify how to recognize the wordpress blog
[2018-03-16 17:54:58 CET]
Clarified that https://dev.blablacar.com is out of scope:
- it will help hunters to create client_ids / secrets to connect https://api.blablacar.com
- but it itself is not eligible for reports
[2018-03-16 14:46:58 CET]
add ineligible report: Sell/ransom user information taken from password reuse or other attacks
add high target value