HackerOne pays to breaches of data security

HackerOne pays for data breaches

of The bug bounty platform HackerOne, has paid $20,000 bounty to an external hacker, after it accidentally gave you the ability to read and modify some of its customers from bug reports.

it all started as the outsider, who is a HackerOne community member with a proven record of success in the search for weak, was the communication with the company, the security analysts. The HackerOne analyst sent, the user who goes by the handle haxta4ok00, parts of a cURL command.

But the cURL command that the analyst sent erroneously contain a valid session cookie, which could be used by anyone who possessed it, to read and to modify, even partially, all of the data, the analyst access had.

fortunately, HackerOne was able to quickly revoke the session cookie reported only two hours after haxta4ok00 first of all, about the violation.

breach

At this time, HackerOne’t tell you how much data was exposed, by the security analyst error. In a recently published incident

The report also showed that the exposed data was limited, the reports, the analysts had access. However, the disclosure is not even any indication of how many customers or how much the data is affected. A day after the incident occurred, HackerOne co-founder Jobert Abma wrote haxta4ok00, namely:

“was Something that we hadn’t asked you yet. We do not find it necessary, for you have opened to check all the reports and pages, you had access to the account. Would you explain to me why you did so to us?” 

Haxta4ok00 to this question responded by saying that he opened all of the reports and pages to show “impact”, and it is not the intention of damage to either HackerOne or its customers. This explanation was not enough for the Abma, who replied, said: “This was a major incident because of the amount of data you access, not because it happened in the first place.

Haxta4ok00 received a bounty of $20,000 for its discovery, while learning the valuable lesson that, just because the files were not accidentally made accessible to you, it means you should open. 

Ars Technica

Published on Wed, 04 Dec 2019 21:23:45 +0000

Leave a Comment