The bug bounty platform HackerOne has paid a $20,000 bounty to an outdoor hacker after it by accident gave them the flexibility to learn and modify a few of its clients bug experiences.
All of it started when the outsider, who’s a HackerOne group member with a confirmed monitor report of discovering vulnerabilities, was speaking with one of many firm’s safety analysts. The HackerOne analyst despatched the consumer, who goes by the deal with haxta4ok00, elements of a cURL command.
Nevertheless, the cURL command the analyst despatched mistakenly included a legitimate session cookie which could possibly be utilized by anybody who possessed it to learn and even partially modify the entire knowledge the analyst had entry to.
Fortunately HackerOne was capable of rapidly revoke the session cookie simply two hours after haxta4ok00 first reported the breach.
Presently, HackerOne just isn’t saying simply how a lot knowledge was uncovered by the safety analyst’s mistake. In a not too long ago revealed incident report although, the corporate stated that each one affected clients have already been notified privately.
The report additionally revealed that the uncovered knowledge was restricted to experiences the safety analyst had entry to. Nevertheless, the disclosure doesn’t even present any clues as to what number of clients or how a lot knowledge was affected. A day after the incident occurred, HackerOne cofounder Jobert Abma wrote to haxta4ok00, saying:
“One thing got here up that we hadn’t requested you but. We didn’t discover it needed so that you can have opened all of the experiences and pages as a way to validate you had entry to the account. Would you thoughts explaining why you probably did so to us?”
Haxta4ok00 responded to this query by saying that he opened the entire experiences and pages as a way to “present the affect” and didn’t intend any hurt to both HackerOne or its clients. This clarification wasn’t sufficient for Abma who replied, saying: “This grew to become an even bigger incident because of the quantity of information that you simply accessed, not as a result of it occurred within the first place.
Haxta4ok00 nonetheless obtained a bounty of $20,000 for his discovery whereas studying the dear lesson that simply because information have been by accident made accessible to you, it doesn’t suggest you need to open them.
Through Ars Technica