HackerOne breach lets outside hacker read customers’ private bug reports
Enlarge (credit: blogtrepreneur.com/tech)
As a leading vulnerability reporting platform, HackerOne has paid hackers more than $23 million on behalf of more than 100 customers, including Twitter, Slack, and the US Pentagon. The company's position also gives it access to unimaginable amounts of sensitive data. Now, the company has paid a $20,000 bounty out of its own pocket after accidentally giving an outside hacker the ability to read and modify some customer bug reports.
The outsider-a HackerOne community member who had a proven track record of finding and privately reporting vulnerabilities through the platform-had been communicating late last month with one of the company's security analysts. In one message, the HackerOne analyst sent the community member parts of a cURL command that mistakenly included a valid session cookie that gave anyone with possession of it the ability to read and partially modify data the analyst had access to.
"HackerOneStaff Access," the community member haxta4ok00 wrote in broken English on November 24. "i can read all reports @security and more program." In a follow-up message, haxta4ok00 wrote: "i found what is you can edit private program (for test) I have not changed anything and not used , all for the sake of hacking." On the same day, the hacker followed up again, writing: "If you need Proof, I can write a message [redacted]."
Read 19 remaining paragraphs | Comments