In an embarrassing twist, bug bounty platform HackerOne has paid a $20,000 reward to a researcher who reported a security flaw inadvertently caused by one of its staff during… a bug submission.
According to the company’s timeline, the bizarre incident happened on 24 November when one of its analysts tried to reproduce a security issue submitted by a registered community member called haxta4ok00.
After failing to reproduce the bug, the analyst opened a dialogue with the member during which parts of a curl command (curl is a command line tool used to fetch data from URLs) were accidentally included in a reply. That command disclosed a live session cookie. Session cookies are ‘keys’ that grant you access to a service after you’ve logged in, so having somebody’s session cookie is as good as having their password.
That gave haxta4ok00 access to all the customer reports handled by that analyst for the duration of that session, with the result that:
Sensitive information of multiple objects was exposed. During the timeframe the hacker had access, three different features were used to access sensitive information.
In other words, a security bug had occurred during the reporting of a security bug.
Twenty minutes after it happened, after poking around a bit, haxta4ok00 gave HackerOne the bad news about the breach.
Two hours after that, someone at HackerOne responded, revoking the vulnerable session cookie three minutes later.
What just happened?
On the face of it, the incident was simple human error. In comments to the BBC, HackerOne admitted:
Less than 5% of HackerOne programs were impacted, and those programs were contacted within 24 hours of report receipt.
Luckily, haxta4ok00 did the right thing and came clean about the bug they’d spotted. But judging from exchanges at the end of the advisory between HackerOne’s co-founder Jobert Abma and haxta4ok00, the bug spotter’s poke-about was troubling:
We didn’t find it necessary for you to have opened all the reports and pages in order to validate you had access to the account. Would you mind explaining why you did so to us?
To which, haxta4ok00, replies:
I did it to show the impact. I didn’t mean any harm by it. I reported it to you at once.
The learning
Marked as a critical vulnerability, haxta4ok00 was awarded the maximum bounty for that type of flaw – $20,000.
HackerOne has detailed several preventative measures, which include closing the potential vulnerability by limiting analyst sessions to the IP address from which they originate. And to reduce the time it takes to react to a critical report submission – a particular problem at weekends, as was the case here – it has decided to “move from a Slack notification to paging the on-call security person”.
Rob
We as security practitioners or those employees that are accountable/responsible for incident response might think about getting better at our response. In this case the submitter did the right thing but the ‘victim’ instead of focusing on the flaw reacted by questioning the sincerity of the submitter. Granted it is never to ‘poke around’ once you expose a flaw but speaking from personal experience sometimes you literally cannot believe what you have stumbled upon so you take extra steps to back up your finding. Part of this is you may not want to come across as a fool if you were wrong so the more evidence you can provide the better.
Paul Ducklin
i don’t think you can criticise Hackerone for asking an uncomfortable question like that… after all, just reporting that the cookie worked would have been enough. You can acknowledge someone’s positive actions while at the same time voicing displeasure about some aspects of how they went about it.
If you found my bicycle unlocked where it was likely to get nicked and told me so I could secure it, I’d be pretty happy. If you took it for a quick blast round town and filmed yourself pulling skids to prove that it really was both unlocked and rideable, I’d be impressed at your riding skillz and would probably say so, but I’d also be annoyed that you didn’t just tell me and leave it at that… and I’d probably say so, too.
christopher james (@cjcateringnyc)
yes, but here is the reality– both the opening of files and riding the bike are both examples which could land an individual in front of a criminal judge. both operations are illegal but not equal.
it is obvious if you destroy the bike whist joy-riding, the bike is gone, you are in the hospital recovering, and Paul is looking to sue for damages in small claims court.
on the other hand, if you open files, all kinds of really really life-and-death things can happen. Disturbing the custody of evidence in a murder trial could get the case thrown out on a technicality; exposing highly classified state secret type info –and he took screen shots vs. actually ex-filtrating files–could FUBAR in the worst way–leading to people dying.
Now, that’s a bad day.
J
I don’t have a problem with what the security researcher did at all. The onus for my company (we operate a similar bug bounty program) on finding the scope of a vulnerability is on the researcher. If a researcher finds vulnerability X to resource A & resource B. The researcher maybe paid $2,000. If they find the vulnerability has access to resource A, B, C, D & E. The bug could be closer to $10,000.
The security researcher did everything he should have done to guarantee his own success.
Paul Ducklin
I hear you. But you can see HackerOne’s point too – it doesn’t sound as though the scope of the vulnerability was really in doubt. For example, if I found you had an email system that could be abused to send spam, then after I’d verified I could send 10, 100, 1000 spams at will…
…I wouldn’t really improve the clarity of my point by sending 100,000,000 more spams. Both of us could extrapolate to there, so after a while I’d kind of just be showing off.
They paid him anyway. So if they feel a bit as though they were kicked when they were already down, hey, give ’em that much :-)