HackerOne pays up after knowledge incident
The bug bounty platform HackerOne has paid a $20,000 bounty to an out of doors hacker after it by chance gave them the flexibility to learn and modify a few of its clients bug reviews.
All of it started when the outsider, who’s a HackerOne neighborhood member with a confirmed observe document of discovering vulnerabilities, was speaking with one of many firm’s safety analysts. The HackerOne analyst despatched the person, who goes by the deal with haxta4ok00, components of a cURL command.
Nevertheless, the cURL command the analyst despatched mistakenly included a sound session cookie which could possibly be utilized by anybody who possessed it to learn and even partially modify the entire knowledge the analyst had entry to.
Fortunately HackerOne was capable of shortly revoke the session cookie simply two hours after haxta4ok00 first reported the incident.
At the moment, HackerOne just isn’t saying simply how a lot knowledge was uncovered by the safety analyst’s mistake. In a just lately revealed incident report although, the corporate stated that every one affected clients have already been notified privately.
The report additionally revealed that the uncovered knowledge was restricted to reviews the safety analyst had entry to. Nevertheless, the disclosure doesn’t even present any clues as to what number of clients or how a lot knowledge was affected. A day after the incident occurred, HackerOne cofounder Jobert Abma wrote to haxta4ok00, saying:
“Something came up that we hadn’t asked you yet. We didn’t find it necessary for you to have opened all the reports and pages in order to validate you had access to the account. Would you mind explaining why you did so to us?”
Haxta4ok00 responded to this query by saying that he opened the entire reviews and pages with a view to “show the impact” and didn’t intend any hurt to both HackerOne or its clients. This rationalization wasn’t sufficient for Abma who replied, saying: “This grew to become an even bigger incident because of the quantity of information that you just accessed, not as a result of it occurred within the first place.
Haxta4ok00 nonetheless obtained a bounty of $20,000 for his discovery whereas studying the precious lesson that simply because information have been by chance made accessible to you, it does not imply it is best to open them.
Through Ars Technica