Bypass HackerOne 2FA requirement and reporter blacklist
Severity: Medium (5.0) — High (7.1)
Weakness: Improper Authorization
Bounty: $10,000
Summary:
First, the initial submission got a bounty of $2,500. But while HackerOne was doing their Root Cause Analysis (RCA) of my report submission, they have stumbled upon another vulnerability with High severity.
Since my submission gives them a nudge in the right direction, they rewarded me another $7,500 for the increase scope of finding.
Research:
My routine when i am hunting on HackerOne main platform is always checking if they have new incoming feature, And i saw that there is beta feature called Embedded Submission Form which enables hackers to Anonymously submit reports without having to create an account on HackerOne. For additional information. Learn more here.
Now, with that new feature i have found an Improper Authorization bug that bypasses the 2 security features of HackerOne for the bug bounty programs.
- Bypass 2FA requirements when submitting new reports to a program. Learn more here.
- Bypass hacker blacklisted by a program (when a program does not want to receive report from specific hackers). Learn more here.
Bypass 2FA requirements when submitting new reports to a program
A program owner can enforce the hackers to setup the two-factor authentication before submitting new reports to their program here: https://hackerone.com/<program>/submission_requirements (see below image)
The Parrot Sec program has this feature enabled to enforce the hackers to setup 2FA
before submitting reports. I removed my 2FA
in my account to test and it is good that i was block from submitting new reports (see below image)
Now i was able to bypass this 2FA setup requirements by using the Parrot Sec program Embedded Submission Form.
Steps to reproduce:
- Login to your account and remove your 2FA on your account (if you already setup it)
- Now go to https://hackerone.com/parrot_sec and hit
Submit Report
button, observed that you cannot submit report unless you will enable your 2FA. - BYPASS: Get the
Embedded Submission
URL on their policy page: i get this > https://hackerone.com/<redacted_UUID>/embedded_submissions/new - Now submit report using that embedded submission form and you can submit reports without setting-up your 2FA, despite the program enforce the user to setup the 2FA before submitting new reports.
- 2FA requirements successfully bypassed!
Impact
Users can still submit a report to a program despite the program owner require a 2FA enabled to account before hacker can submit reports.
Bypass Hacker Blacklisted to a program
If a hacker’s behavior is out of sync with what is outlined on bug bounty program Security Page, or if they’ve violated part of the HackerOne Code of Conduct, program owners can take action to ban hackers from participating in their program. BBP program owners can ban hackers from both private and public programs. (see below image), For additional information.. Learn more here.
So i ask a good friend of mine Ace Candelario (phspade) to ban my h1/japz account on HackerOne Parrot Sec program from submitting a new report, btw he is the Philippine Ambassador of Parrot Security and one of the Triager in Parrot Sec hackerone program. After banning my account i try to submit a report and clicking on the submit report button redirects me to Page not found error page (see below).
It’s good, the reason why i cannot submit a new report is because i am banned/black-listed on the parrot sec program. :)
But using the same steps to reproduce on my first bypass above (Bypassing 2FA requirements), I was able to submit a new report to the bbp program despite i am already banned.
Impact
Malicious user can still submit a report as many as he/she want despite the program owner banned/black-list the hackers.
Note: This second bypass have turns out to have the same root cause of the first bypass above, therefore it was closed as duplicate of my first report #418767.
Disclosure Timeline
- 2018–10–04 02:41:19 — Report submitted to HackerOne security team.
- 2018–10–05 20:07:59 — Security team acknowledge and Triage the report
- 2018–10–05 20:53:21 — $10,000 Bounty rewarded.
- 2018–10–06 00:38:15 — Fix for the High severity bug released to production, while the initial submission (Medium) was still ongoing fix.
- 2018–10–25 23:11:03 — Fix for Medium severity bug that is initially reported was released to production
- 2018–10–25 23:11:03 —Status: Resolved
Original submission reference: Hacker can bypass 2FA requirement and reporter blacklist through embedded submission form
Shout’out to all Pinoy Bug Bounty Hunters out there! :)
Cheers!
Japz
https://twitter.com/japzdivino
https://www.facebook.com/pinoywhitehat