Technology

HackerOne pays up after data incident

   Download Android App    Share in      FullScreen   CheckVideos

The bug bounty platform HackerOne has paid a $20,000 bounty to an outside hacker after it accidentally gave them the ability to read and modify some of its customers bug reports.It all began when the outsider, who is a HackerOne community member with a proven track record of finding vulnerabilities, was communicating with one of the company's security analysts.

The HackerOne analyst sent the user, who goes by the handle haxta4ok00, parts of a cURL command.However, the cURL command the analyst sent mistakenly included a valid session cookie which could be used by anyone who possessed it to read and even partially modify all of the data the analyst had access to.Luckily HackerOne was able to quickly revoke the session cookie just two hours after haxta4ok00 first reported the incident.At this time, HackerOne is not saying just how much data was exposed by the security analyst's mistake.

In a recently published incident report though, the company said that all affected customers have already been notified privately.The report also revealed that the exposed data was limited to reports the security analyst had access to.

However, the disclosure does not even provide any clues as to how many customers or how much data was affected.

A day after the incident occurred, HackerOne cofounder Jobert Abma wrote to haxta4ok00, saying:“Something came up that we hadn’t asked you yet.

We didn’t find it necessary for you to have opened all the reports and pages in order to validate you had access to the account.

Would you mind explaining why you did so to us?” Haxta4ok00 responded to this question by saying that he opened all of the reports and pages in order to “show the impact” and did not intend any harm to either HackerOne or its customers.

This explanation wasn't enough for Abma who replied, saying: “This became a bigger incident due to the amount of data that you accessed, not because it happened in the first place.Haxta4ok00 still received a bounty of $20,000 for his discovery while learning the valuable lesson that just because files have been accidentally made accessible to you, it doesn't mean you should open them. Via Ars Technica




Unlimited Portal Access + Monthly Magazine - 12 issues-Publication from Jan 2021

Buy Our Merchandise (Peace Series)

 

Contribute US to Start Broadcasting


It's Voluntary! Take care of your Family, Friends and People around You First and later think about us. Its Fine if you dont wish to contribute and if you wish to contribute then think about the Homeless first and Feed them. We can survive with your wishes too :-). You can Buy our Merchandise too which are of the finest quality.

Debit/Credit/UPI

UPI/Debit/Credit

Paytm

STRIPE

Details
Category: Technology


25