It may sound like a tongue-twister. Bug bounty platform HackerOne recently revealed that one of its security analysts inadvertently sent a session cookie to a bug hunter on November 24 this year, which allowed the bug hunter to access the analyst’s account and company’s vulnerability reports.
The bug hunter, known as haxta4ok00 in the HackerOne community, promptly reported the error to the company, for which he/she received a reward of US$ 20,000.
The company stated that sensitive data of multiple objects were exposed in the incident. It’s said that the hacker had accessed information related to vulnerability reports like title, state, severity, and assignee.
HackerOne helps organizations find and fix the potential vulnerabilities before they can be exploited by cybercriminals.
Cut-and-Paste – the Root Cause
The issue occurred when HackerOne’s researcher cut-and-pasted a cURL with haxta4ok00 along with his session cookie details.
With these details, haxta4ok00 was able to view HackerOne’s vulnerability reports and other records that are supposed to access only by its staff members. It could potentially have exposed the vulnerabilities of many large organizations, according to HackerOne.
“When a Security Analyst fails to reproduce a potentially valid security vulnerability, they go back and forth with the hacker to better understand the report. During this dialogue, Security Analysts may include steps they’ve taken in their response to the report, including HTTP requests that they made to reproduce. In this particular case, parts of a cURL command, copied from a browser console, were not removed before posting it to the report, disclosing the session cookie,” HackerOne said in a post.
HackerOne revoked the session cookie on November 24, 2019, two hours after it was shared.
“Revoking the session cookie rendered it useless to anyone using it. The subsequent investigation focused on affected customers, vulnerability data, intent, communication, and preventative measures, which concluded on November 26, 2019,” HackerOne concluded.