HackerOne bug bounty platform breached by its own user

The bug bounty specialist paid the hacker responsible a cool $20,000 for their efforts

Provider of bug bounty support to major global organisations HackerOne has paid one of its members for exposing an internal security breach. 

A reward of $20,000 (£15,244) has been given to haxta4ok00, the bug hunter who exposed the mistake committed by a staffer at the company which helps the likes of Uber, Goldman Sachs and the US Department of Defense offer bug bounties of their own.

Advertisement - Article continues below

The bug hunter was potentially able to view the records and private, undisclosed vulnerabilities of HackerOne's biggest clients due to what the company is calling a "human error".

A HackerOne security analyst tasked with verifying disclosure reports from bug hunters sent a URL loaded with their session cookie information which the hunter was able to use to view things on the site only logged-in staffers should be able to.

Sending URLs between analyst and hunter is a routine process, HackerOne said in a report. 

"When a security analyst fails to reproduce a potentially valid security vulnerability, they go back and forth with the hacker to better understand the report," said HackerOne. "During this dialogue, security analysts may include steps they've taken in their response to the report, including HTTP requests that they made to reproduce. 

"In this particular case, parts of a cURL command, copied from a browser console, were not removed before posting it to the report, disclosing the session cookie," it added.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The company confirmed that the event lasted only a short time and was not carried out with malicious intent. No undisclosed vulnerabilities were stolen, exploited or published as a result of the incident. All copies of potentially sensitive information were deleted.

"Similar to previously disclosed incidents or weaknesses within BugZilla or Google Issue Tracker, exposure of non-public HackerOne reports presents an immediate danger to not only businesses with hosted programs but also effectively all Internet users," said Craig Young, senior security researcher at Tripwire.

Related Resource

Why UEM is the key to enterprise IT security

A guide to effective endpoint security

Download now

"While I commend HackerOne for their response, this incident is yet another reminder of the distinct risk organisations take by using managed vulnerability reporting services like BugCrowd or HackerOne," he added. "The consolidation of valuable data by such vendors creates a hugely attractive attack target for intelligence agencies (or even criminal actors) to fill their arsenal."

Something that seemed to concern Jobert Abma, co-founder of HackerOne and the individual responsible for following-up with haxta4ok00, was the observation he made regarding the sheer number of pages the hunter opened while accessing a privileged account.

Advertisement - Article continues below

"We didn't find it necessary for you to have opened all the reports and pages in order to validate you had access to the account," said Abma. "Would you mind explaining why you did so to us?"

"I did it to show the impact," said haxta4ok00. "I didn't mean any harm by it. I reported it to you at once.

"I apologise if I did anything wrong, but it was just a white hack," the bug hunter added.

The issue was given a CVSS score of 8.3, which is considered "high", not as severe as the likes of BlueKeep, for example.

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
Labour Party donors caught up in Blackbaud data breach
data breaches

Labour Party donors caught up in Blackbaud data breach

31 Jul 2020
How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020