A hacker was able to access private customer reports on HackerOne after one of the platform’s security analysts inadvertently shared a session cookie.
The incident occurred last week during an online exchange about a bug bounty report that the hacker submitted to HackerOne. Specifically, the HackerOne Security Analyst copied a cURL command from a browser console and sent it to the hacker without removing sensitive information from it.
This resulted in the Analyst’s security cookie being shared with the hacker. The session cookie is obtained after the HackerOne staff member goes through multi-factor Single Sign-On (SSO) and provides access to all platform features, including all of the reports that the Analyst supports.
With the session cookie in hand, the hacker was able to access a broad range of sensitive information, such as HackerOne customer reports, including some from private bug bounty programs.
Through the inbox on the Human-Augmented Signal (HAS) service that HackerOne offers, the Triage Inbox, or Inbox features, the hacker could access report titles and limited metadata, but had access to report contents when using the Report View feature.
The HAS Inbox loaded up to 25 reports in default view, the Triage inbox loaded up to 100 reports to show on the user interface, while the main Inbox loaded up to 25 reports in default view.
“Data access was limited to the access the HackerOne Security Analyst had, which does not cover HackerOne’s entire customer base. If your data was accessed during this incident, you have received a separate notification from HackerOne,” the company explained.
After checking how much access he had to the platform, the hacker submitted a report to HackerOne, on Sunday, November 24, at 05:00 am PST. The team noticed the report two hours later and the session cookie was revoked on November 24 at 15:11 UTC.
“Revoking the session cookie rendered it useless to anyone using it. The subsequent investigation focused on affected customers, vulnerability data, intent, communication, and preventative measures, which concluded on November 26, 2019,” HackerOne explains in an incident report.
The root cause of the incident was not the fact that the Security Analyst shared the session cookie in the cURL command, as this is a human error that could have happened to anyone, but the fact that the hacker-powered bug hunting platform did not implement additional defenses that would prevent the use of the session cookie in a separate browser.
To address the issue, HackerOne decided to bind the user’s session to the IP address (thus, if someone attempts to use it from a different IP address, the session is terminated), and to restrict the use of sessions from a specific restricted list of countries. The binding won’t be rolled out to customers.
Additionally, HackerOne decided to adopt paging the on-call security person when a critical report gets submitted, to ensure it is addressed immediately, and also updated its bug bounty program policy to specify actions for when a hacker accesses a HackerOne account, sensitive keys, or sensitive data.
“While HackerOne was able to determine which reports were access based on the executed GraphQL queries, HackerOne is planning to improve their logging of information around data access. This will support Incident Response capabilities and allow the incident response to be performed faster,” the platform also said.
According to HackerOne, their investigation has not revealed similar sharing of session cookies in previous conversations between its Security Analysts and hackers.
After confirming that the hacker was fully transparent regarding the information he accessed, the platform decided to award a $20,000 bug bounty reward. The issue was rated High severity, with a CVSS score of 8.3, but was treated as Critical.
“In a startling announcement, HackerOne has informed myself and an unknown number of other researchers that our non-public reports have been partially disclosed to an unauthorized party,” Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team (VERT), told SecurityWeek.
“While I commend HackerOne for their response, this incident is yet another reminder of a distinct risk organizations take by using managed vulnerability reporting services like BugCrowd or HackerOne. The consolidation of valuable data by such vendors creates a hugely attractive attack target for intelligence agencies (or even criminal actors) to fill their arsenal,” Young also said.
“It is quite surprising that the security measures, now announced by HackerOne, were not implemented before, given that some of them are of a fundamental and indispensable nature,” Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, commented via email.
“In the near future, attackers will probably consider targeted attacks against crowd security testing platforms. This incident will likely serve as a catalyzer after disclosing how many unprecedented opportunities cybercriminals may get by breaching one single privileged account. It won’t be a trivial task, but the efforts will generously pay off, considering the volume of critical and unpatched vulnerabilities residing on crowd security testing platforms,” Kolochenko concluded.