Cookie leak allows white-hat researcher to access HackerOne vulnerability reports

Bug bounty platform provider HackerOne Tuesday disclosed that one of its own security analysts mistakenly sent a session cookie to a white-hat researcher on Nov. 24, allowing the researcher to take over the analyst’s account and access vulnerability reports on a number of companies.

The researcher, known in the HackerOne community as haxta4ok00, promptly reported the error to the company and received his (or her) own bug bounty reward of $20,000 for doing so – but not before being questioned about viewing sensitive data belonging to HackerOne clients.

According to HackerOne’s online disclosure, the inadvertent cookie leak took place when the security analyst sent haxta4ok00 a communication containing part of a cURL command – copied from a browser console –  that disclosed the session cookie. The white-hat researcher found that he was able to use the cookie to enter the session, despite working on a different device than the one that started the session. HackerOne said did not prevent the cookie from being used in a separate context because, among other reasons, “many of HackerOne’s users work from mobile connections and through proxies,” and so “blocking access would degrade the user experience for those users.”

HackerOne said it revoked the session cookie about two hours after it had been accidentally shared and commenced an investigation to see which of its clients had their data exposed to the researcher. Affected parties received an additional notification. In response to the incident, HackerOne changed its cookies policy by binding user sessions to the specific IP address used during the initial sign-in. If any other IP address is used to attempt to join a session, the session will terminate.

Other new changes include preventing users from accessing resources if they are located in certain countries restricted by HackerOne, and updating the bug bounty program to state actions that should be taken if it is believed a hacker has access to sensitive materials. The company said it has also taken steps to detect and redact sensitive data, including cookies and authentication tokens, in user comments.

HackerOne also says it plans to revise its security analyst permission model and improve education for both employees and hackers.

“It is quite surprising that the security measures, now announced by HackerOne, were not implemented before, given that some of them are of a fundamental and indispensable nature,” said Ilia Kolochenko, founder and CEO of ImmuniWeb, in emailed comments. “Other corrective measures may also appear questionable; for example, blocking access from specific countries… Nonetheless, rapid and transparent disclosure of the incident by HackerOne serves as a laudable example to others, and reminds us once again that humans are the weakest link.”

HackerOne said an audit did not turn up any other past instances of a session cookie accidentally leaking outside of this particular incident.

Even though haxta4ok00 appears to have acted with integrity and withheld no details, HackerOne officials did express concern to the researcher over some of his actions.

“We didn't find it necessary for you to have opened all the reports and pages in order to validate you had access to the account. Would you mind explaining why you did so to us? Thanks!” wrote Jobert Abma, co-founder of HackerOne, in one disclosed communication.

“I did it to show the impact. I didn't mean any harm by it. I reported it to you at once. I was not sure that after the token substitution I would own all the rights,” replied haxta4ok00.

Later, a separate communication from HackerOne informed haxta4ok00 that he would receive $20,000 for his incident disclosure. However, “During our Incident Response process, we noticed that a few reports were accessed after you submitted the report to us. Although we understand why you did so, we’d like to stress that this behavior may disqualify you from a bounty in the future.”

Craig Young, computer security researcher with Tripwire, said he was among the researchers who were informed by HackerOne that a non-public report he filed has exposed via the leaked cookie.

Bug bounty programs facilitated through digital platforms have historically yielded important vulnerability discoveries and provide an important bridge of communication between the hacking community and private-sector organizations and government agencies. But such programs are not without their own risks, say experts.

“Exposure of non-public HackerOne reports presents an immediate danger to not only businesses with hosted programs but also effectively all Internet users,” said Young. “While I commend HackerOne for their response, this incident is yet another reminder of a distinct risk organizations take by using managed vulnerability reporting services like BugCrowd or HackerOne. The consolidation of valuable data by such vendors creates a hugely attractive attack target for intelligence agencies or even criminal actors to fill their arsenal.”

“In the near future, attackers will probably consider targeted attacks against crowd security testing platforms,” said Kolochenko. “This incident will likely serve as a catalyzer after disclosing how many unprecedented opportunities cybercriminals may get by breaching one single privileged account. It won’t be a trivial task, but the efforts will generously pay off, considering the volume of critical and unpatched vulnerabilities residing on crowd security testing platforms.”