The HackerOne platform, which allows security researchers to inform developers about identifying vulnerabilities and receive rewards for this, received about your own hacking. One of the researchers managed to gain access to the account of a security analyst at HackerOne, who has the ability to view classified materials, including information about vulnerabilities that have not yet been fixed. Since the platform's inception, HackerOne has paid researchers a total of $23 million to identify vulnerabilities in products from more than 100 clients, including Twitter, Facebook, Google, Apple, Microsoft, Slack, the Pentagon, and the US Navy.
It is noteworthy that the account takeover became possible due to human error. One of the researchers submitted an application for review about a potential vulnerability in HackerOne. During the analysis of the application, a HackerOne analyst tried to repeat the proposed hacking method, but the problem could not be reproduced, and a response was sent to the author of the application requesting additional details. At the same time, the analyst did not notice that, along with the results of an unsuccessful check, he inadvertently sent the contents of his session Cookie. In particular, during the dialogue, the analyst gave an example of an HTTP request made by the curl utility, including HTTP headers, from which he forgot to clear the contents of the session Cookie.
The researcher noticed this oversight and was able to gain access to a privileged account on hackerone.com by simply inserting the noticed Cookie value without having to go through the multi-factor authentication used in the service. The attack was possible because hackerone.com did not bind the session to the user's IP or browser. The problematic session ID was deleted two hours after the leak report was published. It was decided to pay the researcher 20 thousand dollars for informing about the problem.
HackerOne initiated an audit to analyze the possible occurrence of similar Cookie leaks in the past and to assess potential leaks of proprietary information about the problems of service customers. The audit did not reveal evidence of leaks in the past and determined that the researcher who demonstrated the problem could obtain information about approximately 5% of all programs presented in the service that were accessible to the analyst whose session key was used.
To protect against similar attacks in the future, we implemented binding of the session key to the IP address and filtering of session keys and authentication tokens in comments. In the future, they plan to replace binding to IP with binding to user devices, since binding to IP is inconvenient for users with dynamically issued addresses. It was also decided to expand the log system with information about user access to data and implement a model of granular access for analysts to customer data.
Source: opennet.ru