HackerOne pays $20,000 bounty after breach of own systems

In an embarrassing twist, bug bounty platform HackerOne has paid a $20,000 reward to a researcher who reported a security flaw inadvertently caused by one of its staff during… a bug submission.

According to the company’s timeline, the bizarre incident happened on 24 November when one of its analysts tried to reproduce a security issue submitted by a registered community member called haxta4ok00.

After failing to reproduce the bug, the analyst opened a dialogue with the member during which parts of a curl command (curl is a command line tool used to fetch data from URLs) were accidentally included in a reply. That command disclosed a live session cookie. Session cookies are ‘keys’ that grant you access to a service after you’ve logged in, so having somebody’s session cookie is as good as having their password.

That gave haxta4ok00 access to all the customer reports handled by that analyst for the duration of that session, with the result that:

Sensitive information of multiple objects was exposed. During the timeframe the hacker had access, three different features were used to access sensitive information.

In other words, a security bug had occurred during the reporting of a security bug.

Twenty minutes after it happened, after poking around a bit, haxta4ok00 gave HackerOne the bad news about the breach.

Two hours after that, someone at HackerOne responded, revoking the vulnerable session cookie three minutes later.

What just happened?

On the face of it, the incident was simple human error. In comments to the BBC, HackerOne admitted:

Less than 5% of HackerOne programs were impacted, and those programs were contacted within 24 hours of report receipt.

Luckily, haxta4ok00 did the right thing and came clean about the bug they’d spotted. But judging from exchanges at the end of the advisory between HackerOne’s co-founder Jobert Abma and haxta4ok00, the bug spotter’s poke-about was troubling:

We didn’t find it necessary for you to have opened all the reports and pages in order to validate you had access to the account. Would you mind explaining why you did so to us?

To which, haxta4ok00, replies:

I did it to show the impact. I didn’t mean any harm by it. I reported it to you at once.

The learning

Marked as a critical vulnerability, haxta4ok00 was awarded the maximum bounty for that type of flaw – $20,000.

HackerOne has detailed several preventative measures, which include closing the potential vulnerability by limiting analyst sessions to the IP address from which they originate. And to reduce the time it takes to react to a critical report submission – a particular problem at weekends, as was the case here – it has decided to “move from a Slack notification to paging the on-call security person”.