Bug bounty platform provider HackerOne Tuesday disclosed that one of its own security analysts mistakenly sent a session cookie to a white-hat researcher on Nov. 24, allowing the researcher to take over the analyst’s account and access vulnerability reports on a number of companies.
The researcher, known in the HackerOne community as haxta4ok00, promptly reported the error to the company and received his (or her) own bug bounty reward of $20,000 for doing so – but not before being questioned about viewing sensitive data belonging to HackerOne clients.
According to HackerOne’s online disclosure, the inadvertent cookie leak took place when the security analyst sent haxta4ok00 a communication containing part of a cURL command – copied from a browser console – that disclosed the session cookie. The white-hat researcher found that he was able to use the cookie to enter the session, despite working on a different device than the one that started the session. HackerOne said did not prevent the cookie from being used in a separate context because, among other reasons, “many of HackerOne’s users work from mobile connections and through proxies,” and so “blocking access would degrade the user experience for those users.”
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.