Vulnerability-reporting platform HackerOne has come clean about a critical security flaw on its own website that could be used to expose the email addresses of users.
A researcher going by the name of “msdian7” revealed how an attacker could exploit the site’s project invite feature to uncover the email addresses of other users as detailed on the site itself:
“HackerOne has an invitation system that allows program owners to send invitations to users for various purposes, such as invitations to hack on private programs, claim bounties, be added to programs, among others. The invitation system allows users to be invited by email or by username. If a user is invited by their username, the sender is not permitted to view the email address the invitation is sent to for user privacy. This rule has been guarded by HackerOne’s Access Control Lists (ACLs) in HackerOne’s Representational state transfer (REST) framework, but HackerOne has been migrating these objects to GraphQL under a new protection layer. When exposing a new invitation object, the ACL rule previously applied wasn’t implemented correctly to the new GraphQL protection layer.”
To HackerOne’s credit, the issue was resolved within three hours of msdian7 reporting the issue to them.
That’s an impressive response by HackerOne.
And that’s the important thing. I think we can all accept that any complicated website might have vulnerabilities and flaws from time-to-time. What matters most is that they are identified promptly and then resolved as quickly as possible, reducing the window of opportunity for malicious exploitation.
Msdian7 has been ..