HackerOne bug bounty platform breached by its own user

Provider of bug bounty support to major global organisations HackerOne has paid one of its members for exposing an internal security breach.

A reward of $20,000 (£15,244) has been given to haxta4ok00, the bug hunter who exposed the mistake committed by a staffer at the company which helps the likes of Uber, Goldman Sachs and the US Department of Defense offer bug bounties of their own.

The bug hunter was potentially able to view the records and private, undisclosed vulnerabilities of HackerOne's biggest clients due to what the company is calling a "human error".

A HackerOne security analyst tasked with verifying disclosure reports from bug hunters sent a URL loaded with their session cookie information which the hunter was able to use to view things on the site only logged-in staffers should be able to.

Sending URLs between analyst and hunter is a routine process, HackerOne said in a report.

"When a security analyst fails to reproduce a potentially valid security vulnerability, they go back and forth with the hacker to better understand the report," said HackerOne. "During this dialogue, security analysts may include steps they've taken in their response to the report, including HTTP requests that they made to reproduce.

"In this particular case, parts of a cURL command, copied from a browser console, were not removed before posting it to the report, disclosing the session cookie," it added.

The company confirmed that the event lasted only a short time and was not carried out with malicious intent. No undisclosed vulnerabilities were stolen, exploited or published as a result of the incident. All copies of potentially sensitive information were deleted.

"Similar to previously disclosed incidents or weaknesses within BugZilla or Google Issue Tracker, exposure of non-public HackerOne reports presents an immediate danger to not only businesses with hosted programs but also effectively all Internet users," said Craig Young, senior security researcher at Tripwire.

"While I commend HackerOne for their response, this incident is yet another reminder of the distinct risk organisations take by using managed vulnerability reporting services like BugCrowd or HackerOne," he added. "The consolidation of valuable data by such vendors creates a hugely attractive attack target for intelligence agencies (or even criminal actors) to fill their arsenal."

Something that seemed to concern Jobert Abma, co-founder of HackerOne and the individual responsible for following-up with haxta4ok00, was the observation he made regarding the sheer number of pages the hunter opened while accessing a privileged account.

"We didn't find it necessary for you to have opened all the reports and pages in order to validate you had access to the account," said Abma. "Would you mind explaining why you did so to us?"

"I did it to show the impact," said haxta4ok00. "I didn't mean any harm by it. I reported it to you at once.

"I apologise if I did anything wrong, but it was just a white hack," the bug hunter added.

The issue was given a CVSS score of 8.3, which is considered "high", not as severe as the likes of BlueKeep, for example.