HackerOne Disclosed Reports - 2026-04-06

Low
resolved

Cross-Site Leakage of Review Ownership via Navigation Detection

Bug reported by was disclosed at April 6, 2026, 9:28 pm   |   Information Disclosure

A vulnerability allowed detection of user login status by exploiting differences in Cross-Origin-Opener-Policy (COOP) headers between authenticated and unauthenticated states on the website. The issue was addressed by implementing consistent COOP headers across all domains.

Medium
resolved

█████████eflected █████████████████ Vulnerability in Glassdoor Blog ███earch

Bug reported by Jonathan was disclosed at April 6, 2026, 9:20 pm   |   Cross-site Scripting (XSS) - Reflected

A reflected cross-site scripting vulnerability was discovered in the Glassdoor blog search functionality. The vulnerability was remediated by strengthening input validation and output encoding.

High
resolved

Full account takeover without user Interaction

Bug reported by Anas Cyber (Basti U.P) was disclosed at April 6, 2026, 9:12 pm   |   Improper Authentication - Generic

A vulnerability in the email verification process allowed bypassing of email validation checks. An attacker could manipulate the API response to change the isValidated parameter, enabling registration of accounts with unregistered email addresses and verification without legitimate access to the inbox. This resulted in account takeover of unregistered email addresses without requiring user interaction. The vulnerability was resolved by implementing server-side validation to prevent social authentication setup on unverified accounts.

Low
resolved

Unauthorized usage of External API Key (Usage of Google Maps API Key ==> $$$

Bug reported by Aviel Tzarfaty was disclosed at April 6, 2026, 3:57 pm   |   Violation of Secure Design Principles

A Google Maps API key was found in the source code of a Glassdoor webpage, which allowed unauthorized usage of the API. The API key was not configured securely.