Finding Gem in Someone’s Report: Instant $500USD at HackerOne Platform

Browsing the HackerOne hacktivity is one of my daily routines. Reading each new reports published then try to absorb how to replicate it and that’s how I get my first $500USD in HackerOne platform.

I was able to bypass the fix implemented on his report by looking at the other side of the coin.

Douglas Day (the_arch_angel) submitted his report to HackerOne about the Program Email Notification being ignored when being added as external contributor. It was disclosed last August 8, 2019 and on that day I tried to reproduce the scenario. It’s very self-explanatory so I was able to mimic it instantly. Based on the report fix has been implemented and I confirmed it.

Gaining knowledge from different researcher will really help you to grow. I won’t stop reading the article unless I really understand the content of it. Thank you the_arch_angel for submitting your report #645264, very easy to understand and to replicate. I just noticed that his report is about ADDING contributor so basically if he can add then there should be a way to REMOVE and that’s how my story begins to find a gem within his report. I was able to bypass the fix implemented on his report by looking at the other side of the coin.

Journey to bypass:

1. Go to your Program’s report and invite any participant by clicking the Add Participant Link
2. Invited contributor will receive an email without the report Title (since it is already fixed)
3. Go back to Program’s report at the Participants Section hover the mouse cursor on the invited contributor’s email or username.

4. Select REMOVE PARTICIPANT

5. HackerOne will send another email that the invitation has been revoked. But notice that the email sent to the email disclosed the Title that supposed to be masked.

Instant Bounty isn’t? Go and start reading, you might find something precious gem by just reading someone else’s report.

Special thanks to 0xspade and japz for guiding me to this journey.