Last week, an online exchange about a bug bounty report that a hacker submitted to HackerOne, a news aggregator, resulted in a hacker accessing private reports after an analyst’s security cookie was shared. The analyst copied a cURL command from a browser and sent it to the hacker without removing sensitive information. The hacker accessed HakcerOne customer reports that included reports from private bug bounty programs. The hacker could view 25 reports in default view through the HAS inbox, 100 reports to show on the user interface through the Triage inbox, and 25 reports in default view through the main inbox.
The hacker’s data access was limited to what the analyst had permission to view. HackerOne stated that customers whose data was accessed had already received a private notification. The hacker submitted a report to HackerOne that explained what information he could view and HackerOne resolved the issue on the 24th of November. The problem lies not in the fact that the analyst shared the session cookie in the cURL, but in the fact that the platform did not implement additional defenses. HackerOne also claimed that in their investigation, they found that similar incidents had not occurred previously. After confirming the legitimacy of the hack and the transparency of the hacker, the platform awarded a $20,000 bug bounty reward. The issue was rated as high severity with a CVSS score of 8.3.
Read More: Hacker Accessed Private Reports on HackerOne