Bounty of the Week: $15,000 Snapchat Leak on GitHub
Welcome to the first post in my ongoing ‘Bounty of the Week’ series! We’ll be looking at the biggest disclosed bug bounty published by HackerOne each week. Disclosed bug reports publicise details of the bug(s) found as well as the payout given — providing all parties involved agree to it! They are extremely valuable to the community: they equip hunters with new info to find future bugs, and help to spread awareness to involved companies about potential vulnerabilities in their own applications.
I hope that these reviews help other bug bounty hunters to learn from the disclosures, as well as highlighting any trends in the findings of critical bugs!
The Bug: Snapchat Leaks Sensitive Data on GitHub
Critical bugs — the most severe and most lucrative to find — are often assumed to be complex to discover. A big company is unlikely to have a critical bug that is so easy to see…right?
Well, this isn’t always the case. As the official disclosed report at HackerOne shows, bounty hunter Th3G3nt3lman was awarded $15,000 after discovering and reporting a sensitive auth token that was accidentally posted by a Snapchat software engineer:
The Impact
While the token certainly looked juicy, th3g3nt3lman explained in the bug report that they did not want to try and leverage it to find further bugs:
‘I prefer always in such findings not to escalate or try something that might impact [the] target, so it’s up to you to assess the risk’.
What a gentleman, eh? This type of behaviour is considered good practice in the industry — particularly if you risk breaking the law by ‘investigating’ bugs yourself.
Snapchat quickly confirmed that the discovered token was indeed valid, and spent the next couple of days investigating the potential impact of the finding. According to their final response, ‘the web interface needed a valid Snap account, but not the API’. If the 9.8 severity rating and $15,000 reward is anything to go by, it’s likely that this token could be used to accessthe API at https://github.sc-corp.net with the potential for extremely damaging consequences.
Similar Reports
A bug finding like this one is the dream scenario for hunters — it can be quick to discover, easy to report and (depending on the severity) generously rewarded. Surprisingly, this sort of disclosure happens more often than it should given how easy it is to prevent. Below are some other public reports on HackerOne involving GitHub leaks:
Slack Leaks Access Tokens — This critical bug paid out $7,000. Props to the researcher (xsam) for reverse engineering the relevant Electron app to identify the access tokens.
Starbucks Information Leak — Researcher peuch was awarded $1,000 for finding numerous leaks of sensitive data on Github. This disclosed report was particularly interesting in regards to the exchanges between peuch and HackerOne/Starbucks staff members. The researcher’s finding was initially (erroneously) dismissed, and only after protest did the report get reopened for investigation. By speaking up, peuch ensured that they were awarded the bounty they deserved as their disclosure was valid!
Uber Information Leakage — Peuch bagged another reward after finding exposed Uber data on Github — specifically expired passwords and usernames for ESXi and valid credentials to a SendGrid instance. The latter would have allowed a malicious attacker to send an email from ANY @uber.com address. The phishing possibilities…
Lessons
For bounty hunters: take some time to scour GitHub for potentially sensitive data exposures.
For companies: DON’T MAKE SENSITIVE DATA PUBLICLY AVAILABLE. NEVER. EVER.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Thanks for reading, and catch you next time for the second edition of Bounty of the Week!