Bug bounty platform provider HackerOne Tuesday disclosed that one of its own security analysts mistakenly sent a session cookie to a white-hat researcher on Nov. 24, allowing the researcher to take over the analyst’s account and access vulnerability reports on a number of companies.
The researcher, known in the HackerOne community as haxta4ok00, promptly reported the error to the company and received his (or her) own bug bounty reward of $20,000 for doing so – but not before being questioned about viewing sensitive data belonging to HackerOne clients.
According to HackerOne’s online disclosure, the inadvertent cookie leak took place when the security analyst sent haxta4ok00 a communication containing part of a cURL command – copied from a browser console – that disclosed the session cookie. The white-hat researcher found that he was able to use the cookie to enter the session, despite working on a different device than the one that started the session. HackerOne said did not prevent the cookie from being used in a separate context because, among other reasons, “many of HackerOne’s users work from mobile connections and through proxies,” and so “blocking access would degrade the user experience for those users.”
HackerOne said it revoked the session cookie about two
hours after it had been accidentally shared and commenced an investigation to
see which of its clients had their data exposed to the researcher. Affected parties
received an additional notification. In response to the incident, HackerOne changed
its cookies policy by binding user sessions to the specific IP address used
during the initial sign-in. If any other IP address is used to attempt to join a
session, the session will terminate.
Other new changes include preventing users from accessing
resources if they are located in certain countries restricted by HackerOne, and
updating the bug bounty program to state actions that should be taken if it is
believed a hacker has access to sensitive materials. The company said it has
also taken steps to detect and redact sensitive data, including cookies and
authentication tokens, in user comments.
HackerOne also says it plans to revise its security analyst
permission model and improve education for both employees and hackers.
“It is quite surprising that the security measures, now announced by HackerOne, were not implemented before, given that some of them are of a fundamental and indispensable nature,” said Ilia Kolochenko, founder and CEO of ImmuniWeb, in emailed comments. “Other corrective measures may also appear questionable; for example, blocking access from specific countries… Nonetheless, rapid and transparent disclosure of the incident by HackerOne serves as a laudable example to others, and reminds us once again that humans are the weakest link.”
HackerOne said an audit did not turn up any other past instances
of a session cookie accidentally leaking outside of this particular incident.
Even though haxta4ok00 appears to have acted with integrity and withheld no details, HackerOne officials did express concern to the researcher over some of his actions.
“We didn’t find it necessary for you to have opened all
the reports and pages in order to validate you had access to the account. Would
you mind explaining why you did so to us? Thanks!” wrote Jobert Abma, co-founder
of HackerOne, in one disclosed communication.
“I did it to show the impact. I didn’t mean any harm by it. I reported it to you at once. I was not sure that after the token substitution I would own all the rights,” replied haxta4ok00.
Later, a separate communication from HackerOne informed haxta4ok00 that he would receive $20,000 for his incident disclosure. However, “During our Incident Response process, we noticed that a few reports were accessed after you submitted the report to us. Although we understand why you did so, we’d like to stress that this behavior may disqualify you from a bounty in the future.”
Craig Young, computer security researcher with Tripwire, said
he was among the researchers who were informed by HackerOne that a non-public
report he filed has exposed via the leaked cookie.
Bug bounty programs facilitated through digital platforms
have historically yielded important vulnerability discoveries and provide an
important bridge of communication between the hacking community and private-sector
organizations and government agencies. But such programs are not without their
own risks, say experts.
“Exposure of non-public HackerOne reports presents an immediate danger to not only businesses with
hosted programs but also effectively all Internet users,” said Young. “While I commend HackerOne for their response, this incident is yet another reminder of a distinct
risk organizations take by using managed vulnerability reporting services like BugCrowd
or HackerOne. The consolidation of valuable data by such vendors creates a
hugely attractive attack target for intelligence agencies or even criminal actors
to fill their arsenal.”
“In the near future, attackers will probably consider targeted attacks against crowd security testing platforms,” said Kolochenko. “This incident will likely serve as a catalyzer after disclosing how many unprecedented opportunities cybercriminals may get by breaching one single privileged account. It won’t be a trivial task, but the efforts will generously pay off, considering the volume of critical and unpatched vulnerabilities residing on crowd security testing platforms.”
The post Cookie leak allows white-hat researcher to access HackerOne vulnerability reports appeared first on SC Media.