Bug bounty platform HackerOne pays $20,000 to hacker who compromised its systems

Session cookie crumbs granted hacker access to HackerOne vulnerability reports

HackerOne was left red-faced last week after it admitted a hacker exposed a vulnerability in its popular bug-bounty platform.

In November, a bug hunter was able to flick through HackerOne vulnerability reports at will after they were sent a session cookie by one of the platform’s security researchers, granting the hacker access to their privileged account.

The bug hunter, who goes by the name of haxta40ok00, received a tidy $20,000 for reporting the flaw, which exposed sensitive information such as vulnerability title, state, severity and assignee.

Formed in 2012, HackerOne is a platform that rewards hackers for discovering security vulnerabilities. The organisation helps clients including Starbucks, Instagram, Goldman Sacks and Twitter fix flaws before they are exploited by hackers.

On this occasion, HackerOne was a beneficiary of its own hacker-powered security, after one of its security analysts cut-and-pasted a cURL –a command-line tool for URL file transfer– with his session cookie details.

Armed with this information, haxta4ok00 was able to browse through HackerOne’s sizable directory of vulnerability reports, that are strictly guarded to protect client security.

“When a Security Analyst fails to reproduce a potentially valid security vulnerability, they go back and forth with the hacker to better understand the report. During this dialogue, Security Analysts may include steps they’ve taken in their response to the report, including HTTP requests that they made to reproduce. In this particular case, parts of a cURL command, copied from a browser console, were not removed before posting it to the report, disclosing the session cookie,” HackerOne said in a post.

HackerOne revoked the session cookie in question two hours after it was shared, rendering it useless to anyone else who had access to it.

“A hacker had access for a short time to information relating to other programmes running on the HackerOne platform. Less than 5 per cent of HackerOne programmes were impacted, and those programmes were contacted within 24 hours of report receipt,” HackerOne said in a statement.