HackerOne awards $20,000 bug bounty for private data access vulnerability on its own platform

An analyst and a cut-and-paste job resulted in a critical security problem.

Apple starts fixing iOS multitasking bug Adrian Kingsley-Hughes finds iOS 13.3 developer beta is better, but a full fix may be weeks away. Read more: https://zd.net/34CrpOa

HackerOne has awarded $20,000 to a researcher that disclosed a way to access private bug reports on the platform. 

The irony cannot be lost on the bug bounty as HackerOne is used by a variety of companies, large and small, to tap into a pool of cybersecurity researchers and enthusiasts to find and responsibly disclose vulnerabilities.

This kind of vulnerability crowdsourcing has ramped up in popularity over recent years as data breaches are now an everyday occurrence and organizations find themselves pitted against threat actors constantly seeking ways to compromise websites, software, and online services. 

However, the same bugs that HackerOne assists companies in finding and squashing can impact these kinds of platforms, too. 

This week, a report was made public of a serious session cookie issue on HackerOne that could be used for account takeovers and unauthorized access to private information.  

See also: HackerOne bug bounty platform closes new $36.4m funding round

Disclosed privately by a bug bounty hunter that goes under the handle haxta4ok on November 24, the hacker revealed they were able to access a security analyst's HackerOne account. 

The analyst, a HackerOne staff member, posted their session cookie accidentally, which gave haxta4ok access to their account and external access to private bug reports submitted by others. 

HackerOne says that the "human error" was caused after the analyst attempted to replicate a submission made to the platform. The effort was made in vain, and so the analyst communicated further with the hacker that reported the bug in question -- however, they also exposed their own valid session cookie in the process.

It appears to be a cut-and-paste problem, as the platform says during this dialogue, "parts of a cURL command, copied from a browser console, were not removed before posting it to the report, disclosing the session cookie."

CNET: TikTok accused of secretly gathering user data and sending it to China

Because the cookie was live, all of the platform's features the analyst was permitted to access were also available to the external hacker, including customer reports the employee was dealing with and a Human-Augmented Signal (HAS) inbox containing reports that were not connected to standard HackerOne triage. 
 
It took two hours for HackerOne to respond to the original report as the company was notified on Sunday morning. 

"For critical submissions, HackerOne's security team automatically receives a notification on Slack," the firm says. "This works during business hours but is unreliable over the weekend."

TechRepublic: How to protect computers that store biometric data from malware

The session cookie was revoked on the same day, two hours and three minutes after HackerOne triaged the report. No other live cookies were found during a comment audit launched by the organization to make sure there were no other accidental cookie leaks. 

A bug bounty of $20,000 was awarded to haxta4ok for the critical issue, given its impact on private client data and accounts.

Customers whose information was viewable have been notified and HackerOne has now restricted analyst sessions to their originating IP addresses, thereby potentially mitigating similar issues in the future. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0