HackerOne has paid out $20,000 after a high-severity vulnerability was discovered in the bug-bounty platform. The flaw allowed an outside bounty hunter to access customers’ reports and other sensitive information.
Disclosed this week in a HackerOne report, the security incident stemmed from a session cookie that was exposed via human error, during an interaction between a HackerOne staff member and a bug-bounty hunter under the alias “haxta4ok00.” The session cookie was revoked by HackerOne two hours after it was shared.
“HackerOne triages incoming reports for HackerOne’s own bug-bounty program,” according to HackerOne’s report. “On November 24, 2019, a [HackerOne] security analyst tried to reproduce a submission to HackerOne’s program, which failed. The security analyst replied to the hacker, accidentally including one of their own valid session cookies.”
Session cookies are tied to a particular application (in this case, hackerone.com), and won’t block access when a session cookie gets reused in another location.
That means that all platform features were available, as well as a number of customer reports that were supported by the HackerOne representative involved in this incident.
“In this particular case, parts of a cURL command, copied from a browser console, were not removed before posting it to the report, disclosing the session cookie,” according to HackerOne.
Also as part of this, the hacker was able to access a number of reports from HackerOne’s optional service, called Human-Augmented Signal (HAS), which flags reports that look like spam.
After realizing that the live session cookie had been exposed, haxta4ok00 submitted a bug-bounty report for the issue, including its impact and what he was able to access.
After revoking the cookie, HackerOne also said that it audited existing comments to see if other session cookies were leaked in the past; this fortunately did not yield any results.
The irony of the glitch being discovered in HackerOne’s platform — a bug-bounty platform used by companies to connect to white-hat hackers who hunt and submit vulnerabilities in products or services for a bounty reward — is not lost on the security community. Katie Moussouris, founder of Luta Security, pointed out on Twitter that the incident sheds light on concerns around bug-bounty programs in general not being fool-proof, particularly when companies rush into implementing them.
Outsource your triage for vuln disclosure & bug bounties, they said.
The labor market shortage of qualified triage workers is immaterial, they said.
Remember the whole point of these bug bounty platforms was to save you money in pen testing?
Help you find bugs that eluded you? https://t.co/pSlGXYmMIH
— Katie Moussouris (@k8em0) December 3, 2019
Moving forward, HackerOne for its part is implementing several short-term measures. These include including binding the user’s session to the IP address used at initial sign-in, and terminating the session if an attempt is made to utilize it from a different IP address; restricting its employees from accessing resources from specific countries; and updating their bug bounty program policy to include specific actions on when a hacker may have access to a HackerOne account, sensitive keys,or sensitive data.
HackerOne also made a change that allows its platform to detect possible sensitive information, such as session cookies and authentication tokens, in comments and block submission of the comment until confirmation.
And in the longer term, the company said it will increase bounty hunter education around how to handle any similar incidents to this one.
“As the community grows, HackerOne needs to ensure that HackerOne is reinforcing the best practices in bug bounty hunting,” the company said. “The HackerOne Community team will look to increase hacker education around delivering proof of critical severity vulnerabilities in case sensitive information has been accessed by the hacker.”
Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.