HackerOne Analyst Opens Researcher Access to Confidential Information

HackerOne spoke about an incident that recently occurred because of the fault of one of its employees: one of the HackerOne analysts opened to the researcher access to confidential information.

Last month, a researcher known as haxta4ok00 talked to one of HackerOne’s security analysts. In one post, a HackerOne employee sent part of the cURL command to a community member by copying it from the browser console.

As a result, the researcher ended up with a valid session cookie, which enabled him to read and partially edit the data that the analyst had access. These included reports from other HackerOne clients, including those for private bug search programs, and the researcher wrote that he was able to pay rewards, change information about bug bounty programs, add new users, and so on.

“I can read all reports from @security and other programs. I found that I have the ability to edit in a private program (for the test). I didn’t change anything and didn’t use it”, – wrote haxta4ok00 in poor English.

Access to haxta4ok00 was revoked a few hours later, and an investigation began. Now representatives of HackerOne claim that the incident affected less than 5% of all bug bounty platform programs, and haxta4ok00 was not able to read all the @security reports, but temporarily gained access to a limited number of error messages, and majorly he only could see the name and some metadata.

Read also: Researchers said that hacking Mars rovers and drones could be quite easy

Haxta4ok00 itself assures that immediately after resolving the problem, he deleted all screenshots, proxy logs, browser history and other data obtained during unauthorized access.

“The platform’s representatives, of course, cannot confirm the removal, but they write that all the logs available to them show that I did not try to make any changes and somehow harm”, – said haxta4ok00.

Now, HackerOne developers promise to bind cookies to the IP address of the user (as haxta4ok00 suggested), to which they were issued, which will prevent their third-party use.

The company also introduced a security mechanism that will automatically detect and edit session cookies and other sensitive data presented in the comments. In addition, it is planned to introduce new tools for recording information about data access, linking sessions to specific devices, as well as devote more time to training employees and revising the permission model for security analysts.