Bug bounty startup HackerOne suffers breach after analyst mistake
Bug bounty program startup HackerOne Inc. has suffered a security breach after accidentally giving a researcher the ability to read and modify some of its bug reports.
The incident occurred because an analyst at Hackerone who was corresponding with the researcher provided a cURL command that mistakenly included a valid session cookie. That gave anyone in possession the ability to access and modify the same data the analyst had access to.
First spotted today by Ars Technica, a researcher going by the name of haxta4ok00 wrote on the HackerOne community board Nov. 24 that he had been given access and that he could prove the fact as well. HackerOne did move quickly, revoking access to the session cookie two hours and three minutes after the initial report was made, but the question arises is how it occurred to begin with.
HackerOne’s official explanation is that its security analyst failed to remove parts of the cURL command copied from a browser console that disclosed the session cookie.
“Session cookies are tied to a particular application, in this case hackerone.com,” HackerOne said. “The application won’t block access when a session cookie gets reused in another location. This was a known risk. As many of HackerOne’s users work from mobile connections and through proxies, blocking access would degrade the user experience for those users.”
The company has now made changes to its security procedures. The researcher haxta4ok00 was also paid $20,000 for identifying and reporting the security issue.
“It is quite surprising that the security measures, now announced by HackerOne, were not implemented before, given that some of them are of a fundamental and indispensable nature,” Ilia Kolochenko, founder and chief executive of web security company ImmuniWeb, told SiliconANGLE. Other corrective measures,” he added, may also appear questionable, for example blocking access from specific countries.
“Security researchers may feel at least uncomfortable, if not embarrassed, in light of HackerOne’s persistent advertising of diversified and international crowd intelligence,” Kolochenko explained. “And importantly, sophisticated cybercriminals will bypass this ‘measure’ with the utmost of ease. Nonetheless, rapid and transparent disclosure of the incident by HackerOne serves as a laudable example to others and reminds us once again that humans are the weakest link.”
Calling the announcement startling, Craig Young, computer security researcher for Tripwire Inc.’s vulnerability and exposure research team, noted that, similar to previously disclosed incidents or weaknesses within BugZilla or Google Issue Tracker, exposure of nonpublic HackerOne reports is a danger to all internet users.
“While I commend HackerOne for their response, this incident is yet another reminder of the distinct risk organizations take by using managed vulnerability reporting services like BugCrowd or HackerOne,” Young added. “The consolidation of valuable data by such vendors creates a hugely attractive attack target for intelligence agencies or even criminal actors to fill their arsenal.”
Photo: HackerOne
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU