After one of the security analysts on the platform unintentionally posted a session cookie, a hacker might access private customer reports on HackerOne.
The occurrence happened during an online exchange last week on a bug bounty report submitted by the hacker to HackerOne. The HackerOne Security Analyst directly copied a cURL command to the hacker from a browser console without removing sensitive information.
This allowed the security cookie of the analyst to be shared with the hacker. The session cookie is collected after the HackerOne member of staff uses a Single Sign-On (SSO) multi-factor and provides access to all system services, including all the Analyst supporting documents.
The hacker was able to access a wide range of sensitive data, such as HackerOne Customer reviews, including some from private bug bounty programs with the session cookie in hand.
The hacker could access document captions and restricted metadata via a human-increased signal service (HIS) inbox provided by HackerOne, Triage Inbox or Inbox applications, but had access to report content when using the Document View app.
The HAS Inbox loaded up to 25 default reports, the Triage Inbox loaded up to 100 user interface reports, and the main inbox loaded up to 25 reports in default view.
“Information access was restricted to HackerOne Security Analyst access that doesn’t cover the entire customer base of HackerOne. If you have accessed your data during this incident, you have received a separate HackerOne notification, “the company said.
On Sunday, November 24th, at 05:00 PST, the hacker submitted a report to HackerOne after testing how much access he had to the site. Two hours later, the group acknowledged the report and removed the session cookie at 15:11 UTC on November 24.
“Revoking the session cookie has made anyone using it useless. The following research focused on affected users, vulnerability information, purpose, interaction and corrective action, concluded on 26th November 2019, “explains HackerOne in an incident report.
The main reason for the incident was not the fact that the Security Analyst shared the session cookie in the CURL order, because this is a human error that anyone could have encountered but that the hacker-enabled bug huntering system did not implement adequate protections to prevent the session cookie from being used in a different browser.
In order to resolve the issue, HackerOne has agreed to connect the user login to the IP address (therefore, if someone tries to use it from another IP address, this login is terminated). The binding will not be applied to consumers.
In addition, HackerOne has decided to pay a security caller to ensure that a critical report is sent and is promptly handled. The bug bounty system policy is also revised to clarify actions to be taken when a hacker accesses a HackerOne account, confidential keys or sensitive data.
“While HackerOne has calculated that documents have been accessed based on the graphQL queries conducted, HackerOne plans to improve data access logging. This supports the ability to respond to incidents and allows faster response, “said the platform.
According to the HackerOne survey, there has been no similar sharing of session cookies between its security analysts and hackers in previous conversations.
Upon ensuring that the hacker has been fully transparent about the data it has obtained, a $20,000 bug bounty reward was determined on the website. The question was ranked High gravity, with a CVSS rating of 8.3, but critical.
“In a disturbing statement, HackerOne told me and an unknown number of other researchers that our non public findings were partially transmitted to unauthorized parties,” said Craig Young, Tripwire vulnerability and disclosure research team (VERT) software safety investigator.
“This incident is another reminder of a distinct threat organization, using controlled vulnerability reporting tools such as BugCrowd or HackerOne, though commending HackerOne for their response. The acquisition of such vendors ‘ valuable data provides an extremely attractive attack target for intelligence agencies (or even criminal actors) to fill in their arsenal.
“It is very interesting that HackerOne has not already implemented security measures as some of them are of a crucial and indispensable type,” commented Ilia Kolochenko, Founder and CEO of the web security business ImmuniWeb, by e-mail.
“Aggressors would likely consider targeted attacks on crowd security testing sites in the near future. The incident will potentially serve as a catalyst for how many unparalleled cyber criminals can be granted an unequal account. This is not a trivial task but the efforts will pay off generously given the volume of critical and uncontrolled vulnerabilities that reside on multiple platforms for security tests, “concluded Koloshenko.