The bug bounty platform HackerOne has paid a $20,000 bounty to an outdoor hacker after it unintentionally gave them the flexibility to learn and modify a few of its prospects bug stories.
It all started when the outsider, who’s a HackerOne neighborhood member with a confirmed monitor document of discovering vulnerabilities, was speaking with one of many firm’s safety analysts. The HackerOne analyst despatched the consumer, who goes by the deal with haxta4ok00, components of a cURL command.
However, the cURL command the analyst despatched mistakenly included a legitimate session cookie which could possibly be utilized by anybody who possessed it to learn and even partially modify the entire data the analyst had entry to.
Luckily HackerOne was in a position to shortly revoke the session cookie simply two hours after haxta4ok00 first reported the incident.
At this time, HackerOne just isn’t saying simply how a lot data was uncovered by the safety analyst’s mistake. In a just lately revealed incident report although, the corporate mentioned that every one affected prospects have already been notified privately.
The report additionally revealed that the uncovered data was restricted to stories the safety analyst had entry to. However, the disclosure doesn’t even present any clues as to what number of prospects or how a lot data was affected. A day after the incident occurred, HackerOne cofounder Jobert Abma wrote to haxta4ok00, saying:
“Something came up that we hadn’t asked you yet. We didn’t find it necessary for you to have opened all the reports and pages in order to validate you had access to the account. Would you mind explaining why you did so to us?”
Haxta4ok00 responded to this query by saying that he opened the entire stories and pages so as to “show the impact” and didn’t intend any hurt to both HackerOne or its prospects. This clarification wasn’t sufficient for Abma who replied, saying: “This grew to become a much bigger incident as a result of quantity of data that you just accessed, not as a result of it occurred within the first place.
Haxta4ok00 nonetheless obtained a bounty of $20,000 for his discovery whereas studying the precious lesson that simply because recordsdata have been unintentionally made accessible to you, it doesn’t suggest you need to open them.
Via Ars Technica