On November 24th a hacker took to the bug bounty platform on HackerOne. He wrote that he could read all the security reports of one of their confidential programmes.
The hacker knew online as Haxta4ok00 now had access to a ton of sensitive information. The Co-Founder of HackerOne, Joberty Abma confirmed the hacker was able to access sensitive and private information. He also stated that the attack rated high on the Common Vulnerability Scoring System .
More often than not, it is the smallest details that matter the most when it comes to security. In this case, the hacker was in communication with a HackerOne analyst. The analyst made the simple mistake of cutting and pasting a URL. That URL contained the HackerOne employee’s cookie list. haxta4ok00 hacked the URL giving him access to the company website. Enabling him to view important documents in the same way an employee would, without having to log in.
When the breach was discovered and reported, the cookie session was ended. Meaning that unauthorized access to the site would no longer be possible.
To prevent any further security breaches HackerOne implemented session restrictions for employees. This meant that all sessions would now only be accessible by using the IP address where they originated.
An investigation launched by HackerOne determined that haxta4ok00’s hack was not intended as a malicious attack on the company. Haxta4ok00 also deleted all data and information obtained during the incident. If haxta4ok00 had malicious intent the consequences could have been catastrophic. Haxta4ok00 would have had access to large companies’ security vulnerabilities. Including those of the U.S. Department of Defense.
HackerOne reported that many sensitive documents were exposed. But, access was restricted to mirror the access that the HackerOne Security Analyst had, which did not consist of the companies entire customer database.
Craig Young who works as a senior security
researcher at Tripwire. Stated that this type of incident is a reminder of the
risks involved with working with services that need reports of vulnerability.
Any website that holds confidential and valuable data is a prime target for hackers. They also spark the interest of criminal actors and intelligence agencies. The CEO of ImmuniWeb, Ilia Kolochenko, stated that he was surprised that these security measures were not implemented sooner.
Making it more difficult for the likes of Haxta4ok00 to hack into the system. Ilia Kolochenko did praise HackerOne for their quick response. He also acknowledged the transparent disclosure of the incident. Reminding us that Human error Often poses the most threat to security.