HackerOne, a leading vulnerability reporting platform that has paid hackers more than $23M on behalf of 100+ customers, has paid a $20,000 bounty out of its own pocket after accidentally giving an outside hacker the ability to read and modify some customer bug reports. The outsider was a HackerOne community member who had a proven track record of finding and privately reporting vulnerabilities through the platform. Through communicating late last month with one of the company’s security analysts, the same outsider sent the community member parts of a cURL command that mistakenly included a valid session cookie that gave anyone with possession of it the ability to read and partially modify data the analyst had access to.
HackerOne revoked the session cookie exactly two hours and three minutes after the breach was reported, but the company’s incident response team has set out to investigate what happened and how much damage had been done.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
