News

HackerOne Employee Blackmailed Platform Customers

A bug bounty employee of the HackerOne platform has been stealing vulnerability reports for more than two months and using them to blackmail the company’s clients, demanding additional financial rewards.

According to the company, the fraudster has been working at HackerOne since April 4 of this year, and during this time he managed to contact seven customers to inform them about the vulnerabilities already found in their products and demand money for bugs.

Let me remind you that we also wrote that HackerOne Analyst Opens Researcher Access to Confidential Information.

The strange activity was discovered on June 22, when HackerOne responded to a request from a customer who complained that he had received information about the vulnerability bypassing the platform itself from a person using the nickname rzlr. At the same time, the client noticed that a bug report about the same problem was previously submitted via HackerOne.

While it is sometimes possible for multiple researchers to discover the same bug at the same time, in this case the HackerOne report and the scammer’s report had obvious similarities that led to an investigation into what happened. So it turned out that one of the employees had access to the platform for more than two months and blackmailed customers with already discovered vulnerabilities.

The company says that the scammer managed to get a “reward” for some stolen bug reports. This allowed HackerOne to trace the money trail and identify the perpetrator in one of its employees who were involved in exposing vulnerabilities to “numerous client programs”.

The attacker created a sockpuppet account on HackerOne and was rewarded for several disclosures. Having determined these rewards to be inappropriate, HackerOne has contacted the relevant payment providers who have partnered with us to provide additional information.the official statement reads.

Analysis of network traffic revealed additional evidence linking the scammer’s main account and the sockpuppet account. Less than a day after the start of the investigation, the platform identified the attacker, deprived him of access to the system and remotely locked his laptop pending further investigation.

Over the following days, HackerOne performed a remote forensic analysis of the suspect’s computer, and also completed a review of the employee’s access logs during his work (to determine any bug bounty programs with which he interacted). As a result, on June 30, 2022, the fraudster was fired.

After reviewing the issue with lawyers, we will decide whether a criminal appeal is appropriate in this case. While we continue the examination of magazines and devices used by a former employee.the company writes.

The platform admits that the former employee blackmailed HackerOne customers using “threatening” and “intimidating” language and urged them to contact the company if they were unhappy with something.

Alas, “in the vast majority of cases” the company has no evidence of misuse of vulnerability data. However, clients whose reports the attacker accessed (whether unknown, for legitimate purposes, as part of their work, or with malicious intent) are already individually notified of the dates and times of access to each bug report. HackerOne also notified the researchers whose materials were obtained by the scammer.

The company promises that in the future it will implement additional logging mechanisms to improve incident response, work on data isolation to “reduce the radius of the explosion,” and also optimize existing processes for detecting anomalous access and proactively detecting insider threats.
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button