Harvesting all private invites using leave program fast-tracked invitation and security@ email forwarding feature

Japz Divino
Oct 22, 2018 · 3 min read

Severity: Medium (6.1)
Weakness: Business Logic Errors
(CWE-840)

Summary:

I have found a way that it is possible to harvest all private HackerOne invitation using the Leave Program feature together with the Security@ email forwarding feature without any user interaction.

HackerOne Security@ Email Forwarding Feature

First, when the program activated the security@ email forwarding feature on hackerone and the hacker sent an email to company configured security email (e.g security@company.com), hackerone system will send an automated email invitation token (link) to hackers and this invitation will allow the hackers to join and become a participants of private program. (see image below)

Automated HackerOne email invitation for private programs having security@ email forwarding feature enabled.

Decline Invites and Leave Programs

Now, hackers can choose to leave the program in exchange of another automated invite when the hackers filled-up the leave program survey form using the new Leave Program functionality. (see image below)

Fast-tracked for invites, when you leave a private program.. HackerOne will give you new invitation most likely within 24 hours.

Exploitation — HackerOne will do it for you fully automated without any user interaction

Steps To Reproduce

Assumes that you don’t have any invites (as in 0 invites)

  1. First step you have to find program with security@ email forwarding enabled on hackerone, this is easy just go to https://hackerone.com/bug-bounty-programs, click all the program and send a test email to their declared security at email on their public page, if you received an email invitation to submit your bug, then that means security@ is activated for that private program.

This is actually easy to exploit using the logical flow below:

Flowchart for Business Logic Error Bug

Impact

An attacker can harvest all private invitation without any user interaction, in a matter of few months you can have 100+ private invitation by just daily repeating the steps i provided above.

INVITES ALL YOU CAN :)

Fixed

Now when someones leaves a program that they got access to through the hackerone email forwarding feature they won’t receive an invitation to another program anymore.

Jobert — Co-Founder of hackerone’s response on the report thread telling that the fix has released.

Disclosure Timeline

  • 2018–04–06 11:26:21 — Report submitted to HackerOne security team.

Original submission reference: Harvesting all private invites using leave program fast-tracked invitation and security@ email forwarding feature

Shout’out to all Pinoy Bug Bounty Hunters out there! :)

Cheers!
Japz
https://twitter.com/japzdivino

Pinoy White Hat

Bug bounty writeup.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store