.png)
23 hours ago
8 BOOK THIS SPACE FOR AD
ARTICLE AD
The title of this story sounds peculiar but It is right, This story actually revolves around a security issue found at Hackerone which was exposing the Hackerone Bug Reporter(hackers) and Hackerone Program Team member account’s sensitive personal data. sensitive data means reporter’s/team’s email, phone numbers, otp backup codes, graphql secret token, api token etc.
On Wednesday evening, I was walking on Hackerone’s disclosed reports and observing the “graphql” queries for my next researches. I was checking how some of the basic queries response when I attach it on other operations present. For collecting some basic queries I went to a particular report’s “.json” endpoint, actually Hackerone has a “.json” endpoint present for reports in which it prints out the report in “.json” format. Anyone can access this endpoint at url https://hackerone.com/reports/<report-id>.json . report-id is present in numeric format at any report in HackerOne.
Come to story, When I opened that “.json” endpoint for one of my sandboxed report, it disclosed my email, phone number and other private details, Firstly I thought it was happening because I’m logged in with my test Hackerone account, I ignored. But after a second I thought let’s check if it is leaking the same sensitive data for other reports or not? Fortunately, I’d already opened a disclosed report’s .json endpoint in Burp’s repeater but didn’t checked that, Again went to that repeater tab and I was surprised, inside the response it was leaking the reporter account’s sensitive data. I didn’t wasted my time and immediately sent the report to HackerOne’s security team.
The Vulnerable HTTP request:- (redacted the report-id)
GET /reports/XXXXXXX.json HTTP/2
Host: hackerone.com
Nature of issue:- If on any Hackerone report (Disclosed/Private) there is report summary written by team or reporter is present then on replaying above HTTP request’s response, it will disclose the team/reporter’s account sensitive attributes of account under summary’s .json data. If team and reporter both posted the stories then it will disclose both account’s sensitive data.
A Glimpse of leaked data(redacted) from my test Hackerone account:
After reporting the issue I was waiting for Hackerone’s security team response, Almost a day and half went but no response recieved from security team side. For faster remediation of issue I tried to reach Hackerone support via X(no information about issue was supplied, only alerted for critical issue) but no response recieved. 2 days went I was still waiting, At 21 Feb,2025 night a response recieved on report from Co-founder of Hackerone — Jobert Abma.
In reply he immediately Triaged issue and sent it for further investigation, After 2–3 hours he replied issue has been mitigated and invited me for retesting the issue checking if it is fixed or not? I tested and confirmed issue has been mitigated and now no data leakage is alive. The mitigation of issue was too fast.
At same night after fix confirmation and after almost 1 hour I recieved an email from HackerOne that issue has marked as Critical severity and $25000 has been rewarded to this issue.
I would like to thank whole HackerOne team involved in fixing the issue and a special thanks to HackerOne Co-Founder Jobert Abma for blazing fast response/mitigation providing in this report.
Hackerone report:- https://hackerone.com/reports/3000510
Timeline:-
Feb 19, 2025:- Issue found and reported.Feb 21, 2025:- Issue Triaged, Fixed and $25000 bounty rewarded.Summary of investigation provided by HackerOne.April 2, 2025:- Issue disclosedThanks!
Bengali (Bangladesh) · 
English (United States) ·