Maybe you’ve heard of HackerOne.
It helps some of the world’s most famous companies and organisations run bug bounty programs – Starbucks, Goldman Sachs, Uber, Instagram, Twitter, Slack, the United States Department of Defense… the list goes on and on.
Researchers find a security vulnerability in a product, service or website and HackerOne helps co-ordinate the report to the company concerned – and ultimately the person who found the bug ends up being rewarded financially.
Better that bugs are reported responsibly this way and fixed, than discovered by malicious hackers who exploit them with criminal intent.
So there’s some irony in reading that HackerOne’s own security has been found lacking.
HackerOne has paid out a US $20,000 bounty after a researcher called Haxta4ok00 discovered he was able to access some other users’ bug reports on the website.
The reason Haxta4ok00 was able to access the data? One of the HackerOne’s own staff had accidentally disclosed one of their own valid session cookie – granting the external bug-hunter access to vulnerability reports related to other HackerOne customers:
HackerOne triages incoming reports for HackerOne’s own bug bounty program. On November 24, 2019, a Security Analyst tried to reproduce a submission to HackerOne’s program, which failed. The Security Analyst replied to the hacker, accidentally including one of their own valid session cookies.
Why was a cookie included?
When a Security Analyst fails to reproduce a potentially valid security vulnerability, they go back and forth with the hacker to better understand the report. During this dialogue, Security Analysts may include ste ..
Support the originator by clicking the read the rest link below.
