INSUBCONTINENT EXCLUSIVE:
Image copyrightGetty ImagesA company which helps big businesses uncover security holes in their platforms has itself been hacked.HackerOne,
which pays hackers who find bugs in products, services and websites for the likes of Uber and Goldman Sachs, was breached by one of its own
The vulnerability was exposed by a user with the handle haxta4ok00
Following the incident, HackerOne has paid $20,000 (£15,224) to haxta4ok00 for exposing the flaw
A HackerOne spokesperson said in a statement: "Last week, while reporting a vulnerability to HackerOne, a hacker had access for a short time
to information relating to other programs running on the HackerOne platform
"Less than 5% of HackerOne programs were impacted, and those programs were contacted within 24 hours of report receipt."Security analyst
Graham Cluley described the incident as "sloppy" in a blog post on Thursday
Cut-and-paste"A simple human error potentially put other companies' bugs in danger of being exposed," Cluley told the TheIndianSubcontinent
"One of the staff at HackerOne cut-and-pasted a url with a bug hunter, but it unfortunately contained his session cookie details
With that information the bug hunter was able to view HackerOne records that only that logged-in staff member was supposed to have been able
to see."If that information had been shared with someone with malicious intent, it could potentially have exposed the private
vulnerabilities of many large organisations, including even the US Department of Defense."HackerOne offers financial rewards to individuals
who spot weaknesses in a product
Companies such as Starbucks, Instagram, and Slack use HackerOne's "bug bounty" programs to detect problems before malicious hackers can
HackerOne fixed the vulnerability on its platform within two hours of haxta4ok00 reporting it
'No harm meant'Following the incident, HackerOne co-founder Jobert Abma asked haxta4ok00 why they probed as deeply as they did
"We didn't find it necessary for you to have opened all the reports and pages in order to validate you had access to the account," said Abma
"Would you mind explaining why you did so to us?" Haxta4ok00 responded saying he wanted to show the impact
"I didn't mean any harm by it
I reported it to you at once I apologise if I did anything wrong
But it was just a white hack."A HackerOne spokesperson added: "The team followed standard protocol to conduct a comprehensive investigation
of the issue and implement immediate and long-term fixes within hours of the report
The comprehensive investigation concluded that there was no evidence of malicious intent
"This was a vulnerability reported through HackerOne's own bug bounty program by an active HackerOne hacker community member and was safely
resolved."All customers [affected] were notified the same day."
