HackerOne is one of the most important vulnerability reporting platforms, so it has access to large amounts of information, although sometimes that information can be exposed. According to ethical hacking specialists, the platform had to pay more than $20k USD after mistakenly handing over improper access to an external actor, as per a report published by Ars Technica.
This external actor is a hacker who has
previously collaborated with the platform. Weeks earlier, one of HackerOne’s
analysts had contacted the hacker through a series of messages; among these messages,
the HackerOne analyst mistakenly sent cURL code snippets that included valid
session cookies
that allowed its holder to read and partially modify some data held by
HackerOne and its analysts.
Member ‘haxta4ok00’ wrote to HackerOne: “I
can read and edit all security reports. I haven’t changed a thing and I haven’t
exploited this flaw, all for the sake of the hacking community”. The user
also offered to send evidence of their claims to the analysts of the platform.
HackerOne revoked the session cookie shortly
after the user informed them about the error; the platform’s ethical hacking
team then began an investigation to determine any possible consequences.
In its report on the incident, HackerOne
mentions that potentially affected partner companies have already been
notified, in addition, they added that not all security reports received were
compromised, but only the reports to which the analyst who made the mistake had
access to. However, the platform also published a transcript of its interaction
with user haxta4ok00, which suggests that the scope of the incident could be
considerable.
In the conversation, Jobert Abma, co-founder of
HackerOne, questions the user about his way of verifying that he had access to
the reports, to which the user assured: “Three years ago I reported on
this kind of attack, but only at the theoretical level, although no one
listened to me. I understand that I am not authorized to access this data, but
I did so for ethical hacking purposes.”
Ethical hacking experts believe that this
incident would also have given the user other malicious capabilities on the
platform, such as access to reward payment systems, rule modification, user
modification or alteration of received reports. Despite this, the user claims
that he did not modify anything; on the other hand, Reed Loden, director of
security of the platform, says that there is no record of any changes in the
information presented.
The security director also mentioned that the
theoretical attack that the user claims to have reported three years ago, was
based on older browsers that were not (and still are not) compatible with
HackerOne’s requirements.
According to the ethical hacking specialists from
the International Institute of Cyber Security (IICS), although there is no
evidence to show that the user altered or stored the compromised information,
this should be a sample of the security risks that platforms like HackerOne and
companies that rely on them to generate environments less prone to exploiting
security flaws.
