Wednesday, April 14, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

HackerOne awards $20,000 bug bounty for private data access vulnerability on its own platform

December 5, 2019
in Internet Security
HackerOne awards $20,000 bug bounty for private data access vulnerability on its own platform
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Apple starts fixing iOS multitasking bug
Adrian Kingsley-Hughes finds iOS 13.3 developer beta is better, but a full fix may be weeks away. Read more: https://zd.net/34CrpOa

HackerOne has awarded $20,000 to a researcher that disclosed a way to access private bug reports on the platform. 

You might also like

Cybersecurity: Victims are spotting cyber attacks much more quickly – but there’s a catch

Samsung’s new Galaxy Quantum 2 uses quantum cryptography to secure apps

Brave browser disables Google’s FLoC tracking system

The irony cannot be lost on the bug bounty as HackerOne is used by a variety of companies, large and small, to tap into a pool of cybersecurity researchers and enthusiasts to find and responsibly disclose vulnerabilities.

This kind of vulnerability crowdsourcing has ramped up in popularity over recent years as data breaches are now an everyday occurrence and organizations find themselves pitted against threat actors constantly seeking ways to compromise websites, software, and online services. 

However, the same bugs that HackerOne assists companies in finding and squashing can impact these kinds of platforms, too. 

This week, a report was made public of a serious session cookie issue on HackerOne that could be used for account takeovers and unauthorized access to private information.  

See also: HackerOne bug bounty platform closes new $36.4m funding round

Disclosed privately by a bug bounty hunter that goes under the handle haxta4ok on November 24, the hacker revealed they were able to access a security analyst’s HackerOne account. 

The analyst, a HackerOne staff member, posted their session cookie accidentally, which gave haxta4ok access to their account and external access to private bug reports submitted by others. 

HackerOne says that the “human error” was caused after the analyst attempted to replicate a submission made to the platform. The effort was made in vain, and so the analyst communicated further with the hacker that reported the bug in question — however, they also exposed their own valid session cookie in the process.

It appears to be a cut-and-paste problem, as the platform says during this dialogue, “parts of a cURL command, copied from a browser console, were not removed before posting it to the report, disclosing the session cookie.”

CNET: TikTok accused of secretly gathering user data and sending it to China

Because the cookie was live, all of the platform’s features the analyst was permitted to access were also available to the external hacker, including customer reports the employee was dealing with and a Human-Augmented Signal (HAS) inbox containing reports that were not connected to standard HackerOne triage. 
 
It took two hours for HackerOne to respond to the original report as the company was notified on Sunday morning. 

“For critical submissions, HackerOne’s security team automatically receives a notification on Slack,” the firm says. “This works during business hours but is unreliable over the weekend.”

TechRepublic: How to protect computers that store biometric data from malware

The session cookie was revoked on the same day, two hours and three minutes after HackerOne triaged the report. No other live cookies were found during a comment audit launched by the organization to make sure there were no other accidental cookie leaks. 

A bug bounty of $20,000 was awarded to haxta4ok for the critical issue, given its impact on private client data and accounts.

Customers whose information was viewable have been notified and HackerOne has now restricted analyst sessions to their originating IP addresses, thereby potentially mitigating similar issues in the future. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Credit: Zdnet

Previous Post

Severe Auth Bypass and Priv-Esc Vulnerabilities Disclosed in OpenBSD

Next Post

2019 Year in Review

Related Posts

Cybersecurity: Victims are spotting cyber attacks much more quickly – but there’s a catch
Internet Security

Cybersecurity: Victims are spotting cyber attacks much more quickly – but there’s a catch

April 14, 2021
Samsung’s new Galaxy Quantum 2 uses quantum cryptography to secure apps
Internet Security

Samsung’s new Galaxy Quantum 2 uses quantum cryptography to secure apps

April 14, 2021
Brave browser disables Google’s FLoC tracking system
Internet Security

Brave browser disables Google’s FLoC tracking system

April 13, 2021
These new vulnerabilities put millions of IoT devices at risk, so patch now
Internet Security

These new vulnerabilities put millions of IoT devices at risk, so patch now

April 13, 2021
Apple looking to close the gap between web and app privacy
Internet Security

Who do I pay to get the ‘phone’ removed from my iPhone?

April 13, 2021
Next Post
How to Change the WordPress Admin Login Logo

2019 Year in Review

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Five Top Quality APIs
Learn to Code

Five Top Quality APIs

April 14, 2021
Cybersecurity: Victims are spotting cyber attacks much more quickly – but there’s a catch
Internet Security

Cybersecurity: Victims are spotting cyber attacks much more quickly – but there’s a catch

April 14, 2021
Detecting the “Next” SolarWinds-Style Cyber Attack
Internet Privacy

Detecting the “Next” SolarWinds-Style Cyber Attack

April 14, 2021
Weekly NFT roundup March 23-29: Circle, Klaytn, and more
Blockchain

Weekly NFT roundup April 7–13: Christie’s, Triller, and more

April 14, 2021
Machine learning can help keep the global supply chain moving
Machine Learning

Machine learning can help keep the global supply chain moving

April 14, 2021
Why I Think That Avengers: Age of Ultron is One of the Best Sci-Fi Movies About A.I | by Brighton Nkomo | Apr, 2021
Neural Networks

Why I Think That Avengers: Age of Ultron is One of the Best Sci-Fi Movies About A.I | by Brighton Nkomo | Apr, 2021

April 14, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Five Top Quality APIs April 14, 2021
  • Cybersecurity: Victims are spotting cyber attacks much more quickly – but there’s a catch April 14, 2021
  • Detecting the “Next” SolarWinds-Style Cyber Attack April 14, 2021
  • Weekly NFT roundup April 7–13: Christie’s, Triller, and more April 14, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates