HackerOne Employee Blackmailed Platform Customers

A bug bounty employee of the HackerOne platform has been stealing vulnerability reports for more than two months and using them to blackmail the company’s clients, demanding additional financial rewards.

According to the company, the fraudster has been working at HackerOne since April 4 of this year, and during this time he managed to contact seven customers to inform them about the vulnerabilities already found in their products and demand money for bugs.

Let me remind you that we also wrote that HackerOne Analyst Opens Researcher Access to Confidential Information.

The strange activity was discovered on June 22, when HackerOne responded to a request from a customer who complained that he had received information about the vulnerability bypassing the platform itself from a person using the nickname rzlr. At the same time, the client noticed that a bug report about the same problem was previously submitted via HackerOne.

While it is sometimes possible for multiple researchers to discover the same bug at the same time, in this case the HackerOne report and the scammer’s report had obvious similarities that led to an investigation into what happened. So it turned out that one of the employees had access to the platform for more than two months and blackmailed customers with already discovered vulnerabilities.

The company says that the scammer managed to get a “reward” for some stolen bug reports. This allowed HackerOne to trace the money trail and identify the perpetrator in one of its employees who were involved in exposing vulnerabilities to “numerous client programs”.

Analysis of network traffic revealed additional evidence linking the scammer’s main account and the sockpuppet account. Less than a day after the start of the investigation, the platform identified the attacker, deprived him of access to the system and remotely locked his laptop pending further investigation.

Over the following days, HackerOne performed a remote forensic analysis of the suspect’s computer, and also completed a review of the employee’s access logs during his work (to determine any bug bounty programs with which he interacted). As a result, on June 30, 2022, the fraudster was fired.

The platform admits that the former employee blackmailed HackerOne customers using “threatening” and “intimidating” language and urged them to contact the company if they were unhappy with something.

Alas, “in the vast majority of cases” the company has no evidence of misuse of vulnerability data. However, clients whose reports the attacker accessed (whether unknown, for legitimate purposes, as part of their work, or with malicious intent) are already individually notified of the dates and times of access to each bug report. HackerOne also notified the researchers whose materials were obtained by the scammer.