In total, more than $23 million (£17.5 million) in bounties has been paid to members of its half a million strong hacker community. HackerOne operates as a conduit between ethical hackers looking for vulnerabilities, and organizations including General Motors, Goldman Sachs, Google, Microsoft, Twitter, and even the U.S. Pentagon, all of whom want to patch up those security holes before malicious threat actors can exploit them. It has now been revealed that one of the hackers registered with the platform went a little “off-piste” and hacked HackerOne instead. That hacker was paid $20,000 (£15,250) as a result; by HackerOne.
Who was the Hacker and how HackerOne got hacked?
A hacker, and HackerOne community member, by the name of haxta4ok00, posted a report to the bug bounty platform on November 24, which stated: “i can read all reports @security and more program.” The hacker, in broken English, was revealing something very worrying indeed. Namely that they had accessed a HackerOne security analyst’s account and was able to read sensitive information as a result. On November 25, Jobert Abma, a HackerOne co-founder, confirmed in response to haxta4ok00 that an attacker didn’t need any authentication privileges to exploit the vulnerability and that it carried a “high” Common Vulnerability Scoring System (CVSS) rating.
As is often the case when it comes to security, it’s the small details that matter. The small detail here being that a HackerOne security analyst had cut and pasted a URL while in communication with the hacker regarding a submission to the bug bounty program. To get technical for a moment, it was actually a client URL (cURL) used as a command-line tool that can transfer data without user interaction. Anyway, that cURL contained the staff member’s session cookie details. This temporary cookie file, erased when the browser is closed, enables the user to navigate through a site without having to authenticate at every new page or section. It also meant that haxta4ok00 was able to view the same records that the logged-in HackerOne analyst could access, without providing any authentication. That session cookie was revoked two hours after the breach report was made, and so any new unauthorized access to the account was blocked. On November 26, HackerOne added restrictions to employee and analyst sessions so they can only be accessible from the originating IP address to mitigate any similar incidents in the future.
Although an internal investigation by HackerOne concluded that there was no evidence of malicious intent by haxta4ok00 and that the hacker had deleted all the data they retrieved during the breach, the consequences could have been enormous. If the hacker had been malicious, then potentially, they could have accessed the security vulnerabilities of large organizations. These vulnerabilities, if not fixed and disclosed at the time, would be precious items for zero-day brokers using dark markets to sell them. Given that the U.S. Department of Defense is a HackerOne customer, the repercussions could have gone way beyond simple monetary value.
According to the HackerOne report, “sensitive information of multiple objects was exposed,” but “data access was limited to the access the HackerOne Security Analyst had, which does not cover HackerOne’s entire customer base.”
Ilia Kolochenko, CEO of ImmuniWeb, said that he found it “quite surprising that the security measures, now announced by HackerOne, were not implemented before, given that some of them are of a fundamental and indispensable nature.” However, Kolochenko also praised HackerOne for the “rapid and transparent disclosure of the incident,” which he said, “serves as a laudable example to others and reminds us once again that humans are the weakest link.”