Harvesting all private invites using leave program fast-tracked invitation and security@ email forwarding feature

Severity: Medium (6.1)
Weakness: Business Logic Errors
(CWE-840)

Summary:

I have found a way that it is possible to harvest all private HackerOne invitation using the Leave Program feature together with the Security@ email forwarding feature without any user interaction.

HackerOne Security@ Email Forwarding Feature

First, when the program activated the security@ email forwarding feature on hackerone and the hacker sent an email to company configured security email (e.g security@company.com), hackerone system will send an automated email invitation token (link) to hackers and this invitation will allow the hackers to join and become a participants of private program. (see image below)

Automated HackerOne email invitation for private programs having security@ email forwarding feature enabled.
Decline Invites and Leave Programs

Now, hackers can choose to leave the program in exchange of another automated invite when the hackers filled-up the leave program survey form using the new Leave Program functionality. (see image below)

Fast-tracked for invites, when you leave a private program.. HackerOne will give you new invitation most likely within 24 hours.

Exploitation — HackerOne will do it for you fully automated without any user interaction

Steps To Reproduce

Assumes that you don’t have any invites (as in 0 invites)

  1. First step you have to find program with security@ email forwarding enabled on hackerone, this is easy just go to https://hackerone.com/bug-bounty-programs, click all the program and send a test email to their declared security at email on their public page, if you received an email invitation to submit your bug, then that means security@ is activated for that private program.
  2. Take the private program email address configured for email forwarding feature (e.g security@companyname.com or hackerone@companyname.com)
  3. Lets take security@companyname.com, assuming that the h1 private program are using that email forwarding address. Send a test mail to that address.
  4. You will received an invitation email via security@ email forwarding feature (like the first screenshot above).
  5. Click the Submit Vulnerability , you are now a participants.
  6. Now leave the program and fill-up the leave survey then confirm leave.
  7. You’ll be fast-tracked for invites, invitation will come most likely arriving in the next 24 hours as stated. (like the 2nd screenshot above)
  8. REPEAT STEP 2 to 7 after getting a new invite came from fast-tracked invites.

This is actually easy to exploit using the logical flow below:

Flowchart for Business Logic Error Bug

Impact

An attacker can harvest all private invitation without any user interaction, in a matter of few months you can have 100+ private invitation by just daily repeating the steps i provided above.

INVITES ALL YOU CAN :)

Fixed

Now when someones leaves a program that they got access to through the hackerone email forwarding feature they won’t receive an invitation to another program anymore.

Jobert — Co-Founder of hackerone’s response on the report thread telling that the fix has released.

Disclosure Timeline

  • 2018–04–06 11:26:21 — Report submitted to HackerOne security team.
  • 2018–04–11 16:58:42 — Security team acknowledge and Triage the report
  • 2018–04–11 21:34:50 — $2,500 Bounty and swag rewarded.
  • 2018–04–17 19:53:34 — Bug fixed and released to production

Original submission reference: Harvesting all private invites using leave program fast-tracked invitation and security@ email forwarding feature

Shout’out to all Pinoy Bug Bounty Hunters out there! :)

Cheers!
Japz
https://twitter.com/japzdivino