HackerOne bug bounty platform breached by its own user

The bug bounty specialist paid the hacker responsible a cool $20,000 for their efforts

Provider of bug bounty support to major global organisations HackerOne has paid one of its members for exposing an internal security breach. 

A reward of $20,000 (£15,244) has been given to haxta4ok00, the bug hunter who exposed the mistake committed by a staffer at the company which helps the likes of Uber, Goldman Sachs and the US Department of Defense offer bug bounties of their own.

Advertisement - Article continues below

The bug hunter was potentially able to view the records and private, undisclosed vulnerabilities of HackerOne's biggest clients due to what the company is calling a "human error".

A HackerOne security analyst tasked with verifying disclosure reports from bug hunters sent a URL loaded with their session cookie information which the hunter was able to use to view things on the site only logged-in staffers should be able to.

Sending URLs between analyst and hunter is a routine process, HackerOne said in a report. 

"When a security analyst fails to reproduce a potentially valid security vulnerability, they go back and forth with the hacker to better understand the report," said HackerOne. "During this dialogue, security analysts may include steps they've taken in their response to the report, including HTTP requests that they made to reproduce. 

"In this particular case, parts of a cURL command, copied from a browser console, were not removed before posting it to the report, disclosing the session cookie," it added.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The company confirmed that the event lasted only a short time and was not carried out with malicious intent. No undisclosed vulnerabilities were stolen, exploited or published as a result of the incident. All copies of potentially sensitive information were deleted.

"Similar to previously disclosed incidents or weaknesses within BugZilla or Google Issue Tracker, exposure of non-public HackerOne reports presents an immediate danger to not only businesses with hosted programs but also effectively all Internet users," said Craig Young, senior security researcher at Tripwire.

Related Resource

Why UEM is the key to enterprise IT security

A guide to effective endpoint security

Download now

"While I commend HackerOne for their response, this incident is yet another reminder of the distinct risk organisations take by using managed vulnerability reporting services like BugCrowd or HackerOne," he added. "The consolidation of valuable data by such vendors creates a hugely attractive attack target for intelligence agencies (or even criminal actors) to fill their arsenal."

Something that seemed to concern Jobert Abma, co-founder of HackerOne and the individual responsible for following-up with haxta4ok00, was the observation he made regarding the sheer number of pages the hunter opened while accessing a privileged account.

Advertisement - Article continues below

"We didn't find it necessary for you to have opened all the reports and pages in order to validate you had access to the account," said Abma. "Would you mind explaining why you did so to us?"

"I did it to show the impact," said haxta4ok00. "I didn't mean any harm by it. I reported it to you at once.

"I apologise if I did anything wrong, but it was just a white hack," the bug hunter added.

The issue was given a CVSS score of 8.3, which is considered "high", not as severe as the likes of BlueKeep, for example.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Most Popular

Visit/infrastructure/network-internet/355792/intel-releases-wi-fi-and-bluetooth-driver-updates-for
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020
Visit/infrastructure/server-storage/355785/dell-emc-poweredge-r7525-review-an-epyc-core-density-to-make
Server & storage

Dell EMC PowerEdge R7525 review: An EPYC core density to make Intel weep

26 May 2020
Visit/operating-systems/microsoft-windows/355781/microsoft-confirms-further-issues-with-troublesome
Microsoft Windows

Microsoft's latest Windows 10 update is causing yet more issues

26 May 2020