HackerOne platform got hacked by a researcher who reported a vulnerability but never got paid

HackerOne is one of the most important vulnerability reporting platforms, so it has access to large amounts of information, although sometimes that information can be exposed. According to ethical hacking specialists, the platform had to pay more than $20k USD after mistakenly handing over improper access to an external actor, as per a report published by Ars Technica.

This external actor is a hacker who has previously collaborated with the platform. Weeks earlier, one of HackerOne’s analysts had contacted the hacker through a series of messages; among these messages, the HackerOne analyst mistakenly sent cURL code snippets that included valid session cookies that allowed its holder to read and partially modify some data held by HackerOne and its analysts.

Member ‘haxta4ok00’ wrote to HackerOne: “I can read and edit all security reports. I haven’t changed a thing and I haven’t exploited this flaw, all for the sake of the hacking community”. The user also offered to send evidence of their claims to the analysts of the platform.

HackerOne revoked the session cookie shortly after the user informed them about the error; the platform’s ethical hacking team then began an investigation to determine any possible consequences.

In its report on the incident, HackerOne mentions that potentially affected partner companies have already been notified, in addition, they added that not all security reports received were compromised, but only the reports to which the analyst who made the mistake had access to. However, the platform also published a transcript of its interaction with user haxta4ok00, which suggests that the scope of the incident could be considerable.

In the conversation, Jobert Abma, co-founder of HackerOne, questions the user about his way of verifying that he had access to the reports, to which the user assured: “Three years ago I reported on this kind of attack, but only at the theoretical level, although no one listened to me. I understand that I am not authorized to access this data, but I did so for ethical hacking purposes.”

Ethical hacking experts believe that this incident would also have given the user other malicious capabilities on the platform, such as access to reward payment systems, rule modification, user modification or alteration of received reports. Despite this, the user claims that he did not modify anything; on the other hand, Reed Loden, director of security of the platform, says that there is no record of any changes in the information presented.

The security director also mentioned that the theoretical attack that the user claims to have reported three years ago, was based on older browsers that were not (and still are not) compatible with HackerOne’s requirements.

According to the ethical hacking specialists from the International Institute of Cyber Security (IICS), although there is no evidence to show that the user altered or stored the compromised information, this should be a sample of the security risks that platforms like HackerOne and companies that rely on them to generate environments less prone to exploiting security flaws.