Vulnerability-reporting platform HackerOne has come clean about a critical security flaw on its own website that could be used to expose the email addresses of users.
A researcher going by the name of “msdian7” revealed how an attacker could exploit the site’s project invite feature to uncover the email addresses of other users as detailed on the site itself:
“HackerOne has an invitation system that allows program owners to send invitations to users for various purposes, such as invitations to hack on private programs, claim bounties, be added to programs, among others. The invitation system allows users to be invited by email or by username. If a user is invited by their username, the sender is not permitted to view the email address the invitation is sent to for user privacy. This rule has been guarded by HackerOne’s Access Control Lists (ACLs) in HackerOne’s Representational state transfer (REST) framework, but HackerOne has been migrating these objects to GraphQL under a new protection layer. When exposing a new invitation object, the ACL rule previously applied wasn’t implemented correctly to the new GraphQL protection layer.”
To HackerOne’s credit, the issue was resolved within three hours of msdian7 reporting the issue to them.
That’s an impressive response by HackerOne.
And that’s the important thing. I think we can all accept that any complicated website might have vulnerabilities and flaws from time-to-time. What matters most is that they are identified promptly and then resolved as quickly as possible, reducing the window of opportunity for malicious exploitation.
Msdian7 has been awarded a $8,500 bounty for their trouble.
A researcher using the handle msdian7 was given an $8,500 payout for discovering and reporting how an attacker could game the project invite feature on the site to view the hidden email addresses of other users. The flaw was traced back to a missing access control rule in HackerOne’s new GraphQL system.
In December a different security researcher received $20,000 from HackerOne after they discovered a way to access other users’ bug reports on the website.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.