Bug bounty firm HackerOne suffers ‘sloppy cut-and-paste’ breach

6 Dec 2019

Image: © Мария Ястребова/Stock.adobe.com

HackerOne has paid a bug bounty of $20,000 to a community user who discovered a breach in the cybersecurity platform.

Bug bounty platforms are increasing in popularity as major names in tech, such as Microsoft and Apple, offer up lucrative packages to any hacker who can successfully identify crucial bugs in their systems for them.

These hackers, often called white hat hackers or ‘ethical hackers’, are dubbed as such because they generally use their powers for good by reporting vulnerabilities instead of exploiting them. They are generally viewed as a more legitimate segment of the hacker population, as opposed to groups of rogue cybercriminals who profit from their crimes.

HackerOne is a bug bounty platform seeking to streamline the reporting process, which has garnered support and funding from those in the tech industry. In September, the company drummed up $34.6m from existing investors such as Benchmark, New Enterprise Associates and more.

It has paid its hackers more than $23m on behalf of various clients such as Spotify, Slack, Starbucks, Nintendo, Twitter and even the US Pentagon.

‘A sloppy cut-and-paste’

Yet, in an ironic turn of fortunes for the firm, HackerOne has now paid out a $20,000 bounty for the identification of a bug on its own platform.

The hacker in question, user ‘haxta4ok00’, had been communicating with one of HackerOne’s security analysts last month. Throughout the course of the conversation, the analyst inadvertently copied and pasted a valid session cookie that gave anyone with access to it the ability to read and partially modify any data that the analyst themselves could see.

Through its own platform, haxta4ok00 let HackerOne know about the vulnerability, and the company revoked the session cookie a few hours later.

According to a HackerOne spokesperson, less than 5pc of HackerOne programs were impacted, all of which were contacted within 24 hours of report receipt. For reporting the incident, HackerOne paid the user $20,000.

British security blogger Graham Cluley described the development as a case of “sloppy cut-and-paste”, though applauded HackerOne for the level of transparency.

“Let’s hope that they and other organisations put measures in place to make such human errors less potentially damaging in future,” he continued.

Eva Short was a journalist at Silicon Republic