HackerOne Pays $20,000 Bug Bounty After 'sloppy' Breach

Money breachImage copyright Getty Images

A company which helps big businesses uncover security holes in their platforms has itself been hacked.

HackerOne, which pays hackers who find bugs in products, services and websites for the likes of Uber and Goldman Sachs, was breached by one of its own community members.

The vulnerability was exposed by a user with the handle haxta4ok00.

Following the incident, HackerOne has paid $20,000 (£15,224) to haxta4ok00 for exposing the flaw.

A HackerOne spokesperson said in a statement: "Last week, while reporting a vulnerability to HackerOne, a hacker had access for a short time to information relating to other programs running on the HackerOne platform.

"Less than 5% of HackerOne programs were impacted, and those programs were contacted within 24 hours of report receipt."

Security analyst Graham Cluley described the incident as "sloppy" in a blog post on Thursday.

Cut-and-paste

"A simple human error potentially put other companies' bugs in danger of being exposed," Cluley told the BBC.

"One of the staff at HackerOne cut-and-pasted a url with a bug hunter, but it unfortunately contained his session cookie details. With that information the bug hunter was able to view HackerOne records that only that logged-in staff member was supposed to have been able to see.

"If that information had been shared with someone with malicious intent, it could potentially have exposed the private vulnerabilities of many large organisations, including even the US Department of Defense."

HackerOne offers financial rewards to individuals who spot weaknesses in a product.

Companies such as Starbucks, Instagram, and Slack use HackerOne's "bug bounty" programs to detect problems before malicious hackers can exploit them.

HackerOne fixed the vulnerability on its platform within two hours of haxta4ok00 reporting it.

'No harm meant'

Following the incident, HackerOne co-founder Jobert Abma asked haxta4ok00 why they probed as deeply as they did.

"We didn't find it necessary for you to have opened all the reports and pages in order to validate you had access to the account," said Abma on HackerOne's website. "Would you mind explaining why you did so to us?"

Haxta4ok00 responded saying he wanted to show the impact. "I didn't mean any harm by it. I reported it to you at once... I apologise if I did anything wrong. But it was just a white hack."

A HackerOne spokesperson added: "The team followed standard protocol to conduct a comprehensive investigation of the issue and implement immediate and long-term fixes within hours of the report. The comprehensive investigation concluded that there was no evidence of malicious intent.

"This was a vulnerability reported through HackerOne's own bug bounty program by an active HackerOne hacker community member and was safely resolved.

"All customers [affected] were notified the same day."

RECENT NEWS

From Chip War To Cloud War: The Next Frontier In Global Tech Competition

The global chip war, characterized by intense competition among nations and corporations for supremacy in semiconductor ... Read more

The High Stakes Of Tech Regulation: Security Risks And Market Dynamics

The influence of tech giants in the global economy continues to grow, raising crucial questions about how to balance sec... Read more

The Tyranny Of Instagram Interiors: Why It's Time To Break Free From Algorithm-Driven Aesthetics

Instagram has become a dominant force in shaping interior design trends, offering a seemingly endless stream of inspirat... Read more

The Data Crunch In AI: Strategies For Sustainability

Exploring solutions to the imminent exhaustion of internet data for AI training.As the artificial intelligence (AI) indu... Read more

Google Abandons Four-Year Effort To Remove Cookies From Chrome Browser

After four years of dedicated effort, Google has decided to abandon its plan to remove third-party cookies from its Chro... Read more

LinkedIn Embraces AI And Gamification To Drive User Engagement And Revenue

In an effort to tackle slowing revenue growth and enhance user engagement, LinkedIn is turning to artificial intelligenc... Read more