HackerOne bug bounty platform breached by its own user

The bug bounty specialist paid the hacker responsible a cool $20,000 for their efforts

Provider of bug bounty support to major global organisations HackerOne has paid one of its members for exposing an internal security breach. 

A reward of $20,000 (£15,244) has been given to haxta4ok00, the bug hunter who exposed the mistake committed by a staffer at the company which helps the likes of Uber, Goldman Sachs and the US Department of Defense offer bug bounties of their own.

The bug hunter was potentially able to view the records and private, undisclosed vulnerabilities of HackerOne's biggest clients due to what the company is calling a "human error".

A HackerOne security analyst tasked with verifying disclosure reports from bug hunters sent a URL loaded with their session cookie information which the hunter was able to use to view things on the site only logged-in staffers should be able to.

Sending URLs between analyst and hunter is a routine process, HackerOne said in a report. 

"When a security analyst fails to reproduce a potentially valid security vulnerability, they go back and forth with the hacker to better understand the report," said HackerOne. "During this dialogue, security analysts may include steps they've taken in their response to the report, including HTTP requests that they made to reproduce. 

"In this particular case, parts of a cURL command, copied from a browser console, were not removed before posting it to the report, disclosing the session cookie," it added.

The company confirmed that the event lasted only a short time and was not carried out with malicious intent. No undisclosed vulnerabilities were stolen, exploited or published as a result of the incident. All copies of potentially sensitive information were deleted.

"Similar to previously disclosed incidents or weaknesses within BugZilla or Google Issue Tracker, exposure of non-public HackerOne reports presents an immediate danger to not only businesses with hosted programs but also effectively all Internet users," said Craig Young, senior security researcher at Tripwire.

Related Resource

Why UEM is the key to enterprise IT security

A guide to effective endpoint security

Download now

"While I commend HackerOne for their response, this incident is yet another reminder of the distinct risk organisations take by using managed vulnerability reporting services like BugCrowd or HackerOne," he added. "The consolidation of valuable data by such vendors creates a hugely attractive attack target for intelligence agencies (or even criminal actors) to fill their arsenal."

Something that seemed to concern Jobert Abma, co-founder of HackerOne and the individual responsible for following-up with haxta4ok00, was the observation he made regarding the sheer number of pages the hunter opened while accessing a privileged account.

"We didn't find it necessary for you to have opened all the reports and pages in order to validate you had access to the account," said Abma. "Would you mind explaining why you did so to us?"

"I did it to show the impact," said haxta4ok00. "I didn't mean any harm by it. I reported it to you at once.

"I apologise if I did anything wrong, but it was just a white hack," the bug hunter added.

The issue was given a CVSS score of 8.3, which is considered "high", not as severe as the likes of BlueKeep, for example.

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021