Comments On HackerOne Breach Lets Outside Hacker Read Customers’ Private Bug Reports

HackerOne, a leading vulnerability reporting platform that has paid hackers more than $23M on behalf of 100+ customers, has paid a $20,000 bounty out of its own pocket after accidentally giving an outside hacker the ability to read and modify some customer bug reports. The outsider was a HackerOne community member who had a proven track record of finding and privately reporting vulnerabilities through the platform. Through communicating late last month with one of the company’s security analysts, the same outsider sent the community member parts of a cURL command that mistakenly included a valid session cookie that gave anyone with possession of it the ability to read and partially modify data the analyst had access to.

HackerOne revoked the session cookie exactly two hours and three minutes after the breach was reported, but the company’s incident response team has set out to investigate what happened and how much damage had been done.

Ilia Kolochenko, Founder and CEO,  ImmuniWeb
December 05, 2019
In the near future, attackers will probably consider targeted attacks against crowd security testing platforms.
“It is quite surprising that the security measures, now announced by HackerOne, were not implemented before, given that some of them are of a fundamental and indispensable nature. Other corrective measures may also appear questionable, for example blocking access from specific countries. Security researchers may feel at least uncomfortable, if not embarrassed, in light of HackeOne’s persistent ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments

In this article