Skyscanner

  • $100 – $8,000 per vulnerability
  • Safe harbor

New Multi Passenger API on the WEB - Can you get my data?

There is new functionality in the passenger profile. This is bringing Web in line with App and allowing Travellers to manage their Passengers within their Account. Previously, a traveller could only manage the “primary traveller” details. New Web UI means potential for your payloads to mess up with out platform.

Affected API Endpoints:

  • GET /profile/passenger
  • GET /profile/api/traveller

c4n y0u 937 my d374115 02 num832 0f my p455p027?

  • My UTID is: "27ae552d-bd79-44c3-a88a-a48b2d06020d"
  • "passengerId":"130cd48ca39143e6adc9bb1519b7e78d"
  • loyaltyCards "id":"50b9935b-11df-4207-a4ec-55d18927baff"

Did you know that we increased rewards? Now we are paying $100 – $8,000 per vulnerability - Just show us a PoC.

Standard BugBounty rules applies:
https://www.skyscanner.net/media/vulnerability-disclosure-policy
https://bugcrowd.com/skyscanner

Happy hunting!