Harvesting all private invites using leave program fast-tracked invitation and security@ email forwarding feature
Severity: Medium (6.1)
Weakness: Business Logic Errors (CWE-840)
First, when the program activated the
security@ email forwarding feature on hackerone and the hacker sent an email to company configured security email
(e.g firstname.lastname@example.org), hackerone system will send an automated email invitation token (link) to hackers and this invitation will allow the hackers to join and become a participants of private program. (see image below)
Now, hackers can choose to leave the program in exchange of another automated invite when the hackers filled-up the leave program survey form using the new Leave Program functionality. (see image below)
Exploitation — HackerOne will do it for you fully automated without any user interaction
Steps To Reproduce
Assumes that you don’t have any invites (as in 0 invites)
- First step you have to find program with
security@email forwarding enabled on hackerone, this is easy just go to https://hackerone.com/bug-bounty-programs, click all the program and send a test email to their declared
security atemail on their public page, if you received an email invitation to submit your bug, then that means
security@is activated for that private program.
- Take the private program email address configured for email forwarding feature
(e.g email@example.com or firstname.lastname@example.org)
- Lets take
email@example.com, assuming that the h1 private program are using that email forwarding address. Send a test mail to that address.
- You will received an invitation email via
security@email forwarding feature (like the first screenshot above).
- Click the Submit Vulnerability , you are now a participants.
- Now leave the program and fill-up the leave survey then confirm leave.
- You’ll be fast-tracked for invites, invitation will come most likely arriving in the next 24 hours as stated. (like the 2nd screenshot above)
- REPEAT STEP 2 to 7 after getting a new invite came from fast-tracked invites.
This is actually easy to exploit using the logical flow below:
An attacker can harvest all private invitation without any user interaction, in a matter of few months you can have 100+ private invitation by just daily repeating the steps i provided above.
INVITES ALL YOU CAN :)
Now when someones leaves a program that they got access to through the hackerone email forwarding feature they won’t receive an invitation to another program anymore.
- 2018–04–06 11:26:21 — Report submitted to HackerOne security team.
- 2018–04–11 16:58:42 — Security team acknowledge and Triage the report
- 2018–04–11 21:34:50 — $2,500 Bounty and swag rewarded.
- 2018–04–17 19:53:34 — Bug fixed and released to production
Original submission reference: Harvesting all private invites using leave program fast-tracked invitation and security@ email forwarding feature
Shout’out to all Pinoy Bug Bounty Hunters out there! :)