applovin HackerOne

Structured Scope
  • Asset Identifier
    Asset Type
    Max Severity
  • Android SDK

    * **What it is:**
    * SDK that our clients embed into their applications.
    * **What it does:**
    * Request and serve AppLovin ads.
    * **What to look for:**
    * Any vulnerabilities that could be exploited by the third-party to prevent regular operation of the SDK.
    * **Test plan**
    * Use https://github.com/AppLovin/AppLovin-MAX-SDK-Android demo application and integration guide to get started with the Android SDK.
    * **Android SDKs** – Android SDK that our clients embed into their application. You will be more likely to achieve higher bounties in the high to critical range, depending on the impact. SDKs could be downloaded from [https://www.applovin.com/integration](https://www.applovin.com/integration).

    OTHER
    critical
  • r.applovin.com

    * **What it is:**
    * An endpoint for the automated reports
    * **What it does:**
    * Provides reporting API to AppLovin partners
    * **What to look for:**
    * SQL injections
    * IDOR attacks
    * Accessing data from other users
    * **Test plan**
    * Get API key from the “Account” section of the AppLovin dashboard
    * Use https://a-support.applovin.com/hc/en-us/articles/115000784688-Basic-Reporting-API as a guide to available parameters

    URL
    critical
  • iOS SDK

    * **What it is:**
    * SDK that our clients embed into their applications.
    * **What it does:**
    * Request and serve AppLovin ads.
    * **What to look for:**
    * Any vulnerabilities that could be exploited by the third-party to prevent regular operation of the SDK.
    * **Test plan**
    * Use https://github.com/AppLovin/AppLovin-MAX-SDK-iOS demo application and integration guide to get started with the iOS SDK.
    * **iOS SDK** – iOS SDK that our clients embed into their application. You will be more likely to achieve higher bounties in the high to critical range, depending on the impact. SDKs could be downloaded from [https://www.applovin.com/integration](https://www.applovin.com/integration).

    OTHER
    critical
  • dash.applovin.com

    * **What it is:**
    * This is our primary dashboard for all of our clients.
    * **What it does:**
    * It contains account settings, advertisements configuration, application management and other features that enable our platform.
    * **What to look for:**
    * Privilege escalations.
    * Being able to view data from admin accounts or other user accounts.
    * Gaining access to other user’s SSN, bank addresses, bank numbers
    * IDOR attacks
    * SQL injection attacks
    * **Test plan**
    * Sign up for an account on: https://dash.applovin.com/signup

    URL
    critical
Target Scope Domains
  • dash.applovin.com
  • r.applovin.com
Domain Scope
  • applovin.com
Tech Stack
Last Finished Scan:
Scan Name
Fleet
Finished
State
auto-gausubs-2-kxss
allkxss
1 year, 1 month ago
Finished
auto-gausubs-2-kxss
  • Fleet: allkxss
  • Duration: 17.70 Minutes
  • Finished: 1 year, 1 month ago