The Bug Bounty Platform HackerOne paid a $ 20,000 bounty to an outside hacker after mistakenly allowing him to read and change some of his customers' bug reports.
It all started when the outsider who is a HackerOne community A member who has been proven to discover vulnerabilities communicated with one of the company's security analysts. The HackerOne Analyst sent parts of a cURL command to the user using the haxta4ok00 handle.
However, the cURL command sent by the analyst inadvertently contained a valid session cookie that could be used by anyone who had read and soak it. Partially modify all of the data the analyst had access to.
Fortunately, HackerOne quickly recalled the session cookie two hours after haxta4ok00 reported the violation for the first time, indicating how much data was exposed by the security analyst's mistake. However, in a recent incident report the company said that all affected customers have already been privately notified.
The report also found that the exposed data was limited to reports that the security analyst had access to. However, disclosure does not even reveal how many customers or how much data was affected. One day after the incident, Jobert Abma, co-founder of HackerOne, wrote to haxta4ok00:
It was not necessary for you to have all the reports and pages open to confirm that you have access to the account. Would you mind explaining why you did this to us? "
Haxta4ok00 responded to this question by saying that he had opened all the reports and pages to" show the impact "and neither did HackerOne nor its function harm customers. This explanation was not enough for Abma when she replied, "This has become a major incident, and not because it has happened because of the amount of data you have accessed.
Haxta4ok00 still received $ 20,000 in bounty for its discovery as you learn the valuable lesson that you should not open files just because they were accidentally exposed to you.
Via Ars Technica