HackerOne, a leading vulnerability reporting platform that has paid hackers more than $23M on behalf of 100+ customers, has paid a $20,000 bounty out of its own pocket after accidentally giving an outside hacker the ability to read and modify some customer bug reports. The outsider was a HackerOne community member who had a proven track record of finding and privately reporting vulnerabilities through the platform. Through communicating late last month with one of the company’s security analysts, the same outsider sent the community member parts of a cURL command that mistakenly included a valid session cookie that gave anyone with possession of it the ability to read and partially modify data the analyst had access to.
HackerOne revoked the session cookie exactly two hours and three minutes after the breach was reported, but the company’s incident response team has set out to investigate what happened and how much damage had been done.
“It is quite surprising that the security measures, now announced by HackerOne, were not implemented before, given that some of them are of a fundamental and indispensable nature. Other corrective measures may also appear questionable, for example blocking access from specific countries. Security researchers may feel at least uncomfortable, if not embarrassed, in light of HackeOne’s persistent advertising of a diversified and international crowd intelligence. And importantly, sophisticated cybercriminals will bypass this “measure” with the utmost of ease. Nonetheless, rapid and transparent disclosure of the incident by HackerOne serves as a laudable example to others, and reminds us once again that humans are the weakest link.
In the near future, attackers will probably consider targeted attacks against crowd security testing platforms. This incident will likely serve as a catalyzer after disclosing how many unprecedented opportunities cybercriminals may get by breaching one single privileged account. It won’t be a trivial task, but the efforts will generously pay off, considering the volume of critical and unpatched vulnerabilities residing on crowd security testing platforms. “