HackerOne pays $20,000 bug bounty after 'sloppy' breach

  • Published
Money breachImage source, Getty Images

A company which helps big businesses uncover security holes in their platforms has itself been hacked.

HackerOne, which pays hackers who find bugs in products, services and websites for the likes of Uber and Goldman Sachs, was breached by one of its own community members.

The vulnerability was exposed, external by a user with the handle haxta4ok00.

Following the incident, HackerOne has paid $20,000 (£15,224) to haxta4ok00 for exposing the flaw.

A HackerOne spokesperson said in a statement: "Last week, while reporting a vulnerability to HackerOne, a hacker had access for a short time to information relating to other programs running on the HackerOne platform.

"Less than 5% of HackerOne programs were impacted, and those programs were contacted within 24 hours of report receipt."

Security analyst Graham Cluley described the incident as "sloppy" in a blog post, external on Thursday.

Cut-and-paste

"A simple human error potentially put other companies' bugs in danger of being exposed," Cluley told the BBC.

"One of the staff at HackerOne cut-and-pasted a url with a bug hunter, but it unfortunately contained his session cookie details. With that information the bug hunter was able to view HackerOne records that only that logged-in staff member was supposed to have been able to see.

"If that information had been shared with someone with malicious intent, it could potentially have exposed the private vulnerabilities of many large organisations, including even the US Department of Defense."

HackerOne offers financial rewards to individuals who spot weaknesses in a product.

Companies such as Starbucks, Instagram, and Slack use HackerOne's "bug bounty" programs to detect problems before malicious hackers can exploit them.

HackerOne fixed the vulnerability on its platform within two hours of haxta4ok00 reporting it.

'No harm meant'

Following the incident, HackerOne co-founder Jobert Abma asked haxta4ok00 why they probed as deeply as they did.

"We didn't find it necessary for you to have opened all the reports and pages in order to validate you had access to the account," said Abma on HackerOne's website, external. "Would you mind explaining why you did so to us?"

Haxta4ok00 responded saying he wanted to show the impact. "I didn't mean any harm by it. I reported it to you at once... I apologise if I did anything wrong. But it was just a white hack."

A HackerOne spokesperson added: "The team followed standard protocol to conduct a comprehensive investigation of the issue and implement immediate and long-term fixes within hours of the report. The comprehensive investigation concluded that there was no evidence of malicious intent.

"This was a vulnerability reported through HackerOne's own bug bounty program by an active HackerOne hacker community member and was safely resolved.

"All customers [affected] were notified the same day."