A hacker was able to access private customer reports on HackerOne after one of the platform’s security analysts inadvertently shared a session cookie.
The incident occurred last week during an online exchange about a bug bounty report that the hacker submitted to HackerOne. Specifically, the HackerOne Security Analyst copied a cURL command from a browser console and sent it to the hacker without removing sensitive information from it.
This resulted in the Analyst’s security cookie being shared with the hacker. The session cookie is obtained after the HackerOne staff member goes through multi-factor Single Sign-On (SSO) and provides access to all platform features, including all of the reports that the Analyst supports.
With the session cookie in hand, the hacker was able to access a broad range of sensitive information, such as HackerOne customer reports, including some from private bug bounty programs.
Through the inbox on the Human-Augmented Signal (HAS) service that HackerOne offers, the Triage Inbox, or Inbox features, the hacker could access report titles and limited metadata, but had access to report contents when using the Report View feature.
The HAS Inbox loaded up to 25 reports in default view, the Triage inbox loaded up to 100 reports to show on the user interface, while the main Inbox loaded up to 25 reports in default view.
“Data access was limited to the access the HackerOne Security Analyst had, which does not cover HackerOne’s entire customer base. If your data was accessed during this incident, you have received a separate notification from HackerOne,” the company explained.
After checking how much access he had to the platform, the ha ..