IDOR on HackerOne Hacker Review “What Program Say”

Severity: Low

Weakness: Insecure Direct Object Reference

Hello everyone, welcome to my first blog, I’m going to share my recent finding on HackerOne’s own bug bounty program.

NOTE: There are two precondition to successfully exploit the bug.

  • Attacker must be a team member that can review a hacker (hacker program participants)
  • Victims must be a participant of the program (submitted a report — despite of any status of report, even the report was not yet touched by the sec team, as long as you submitted a report, you are already a participant)

When i am checking on disclosed report in h1 hacktivity, i always visit some of the profile that have a recently disclosed report to see if i can get some idea on their report, but recently i have observed that some of the researchers have a “What Program Say” on their profile, so i think this is a new feature on hackerone, I’ve found it cool and a bit interesting so i try to check if i can find some good fruit on this new feature :) , First thing is how that review posted on hacker profile ?

According to this https://support.hackerone.com/hc/en-us/articles/115003573643-Hacker-Reviews , With Hacker Reviews, HackerOne customers have the option to send comments on hacker behavior to HackerOne and the hacker after closing a report.

Means this feature is for customer’s security teams, i contacted my bug hunting buddy @phspade a good friend of mine, he is the Philippine ambassador of Parrot Sec and one of the triage team on parrot security bug bounty program on hackerone, he gave me permission to use one of the test account that can be able to review a hacker.

Let me share what happens.

I submitted a test report to Parrot Sec program using my hackerone account japzdivino, then i closed the test report and perform a Hacker Review, while submitting the hacker review, I’ve captured the request and observed the below POST request:

POST /hacker_reviews HTTP/1.1
Host: hackerone.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
X-CSRF-Token: <redacted>
X-Requested-With: XMLHttpRequest
Referer: https://hackerone.com/bugs?subject=parrot_sec&report_id=<redacted>&view=all&substates%5B%5D=new&substates%5B%5D=triaged&substates%5B%5D=needs-more-info&substates%5B%5D=resolved&substates%5B%5D=informative&substates%5B%5D=not-applicable&substates%5B%5D=duplicate&substates%5B%5D=spam&reported_to_team=&text_query=&program_states%5B%5D=2&program_states%5B%5D=3&program_states%5B%5D=4&program_states%5B%5D=5&sort_type=latest_activity&sort_direction=descending&limit=25&page=1
Cookie: <redacted>
DNT: 1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 116

hacker_username=japzdivino&report_id=<redacted>&positive=true&behavior=friendly&private_feedback=Thanks+for+your+report.&public_feedback=Japz is awesome!.

One parameter caught my attention and this is the report_id , I have change the report_id to some private reports (report id) to see if i will received an email with the report title of the private report and voila! , nothing happens :/ , i thought i can find an IDOR to reveal the title of some private reports by manipulating the report_id param but i fail.

After that, i check the other params and another interesting parameter also caught my attention, this is hacker_usernamewhich contains my username since the submitted test report was mine, and out of curiosity i also try to change the value of that hacker_username , i replace hacker_username=japzdivino to hacker_username=jong_jongin which jong_jong was the hackerone username of my other half ❤, then i forwarded the request.

5 minutes had passed and i haven’t received any email notification regarding the hacker review, i smiled because if I’m not mistaken my assumption was correct, the email has been sent to jong_jong’s email address and to verify this i logged-in to my girlfriend’s email and confirmed that the email has been sent to her account.

Also, to make sure that there is a direct impact to all hackerone users, i go to jong_jong’s profile to verify if the public review was posted on her profile and confirmed that it was posted.

Here is the original submission from HackerOne: https://hackerone.com/reports/262661

Below is the PoC video:

IDOR on HackerOne Hacker Review “What Program Say”

Timeline:

  • August 24, 2017 — Report Submitted
  • August 24, 2017 - Sec team first response - report under review
  • August 25, 2017 - Sec team ask for more information
  • August 25, 2017 - Provided more information to sec team
  • August 29, 2017 - Sec team change the status to Triage — bug confirmed and now working on a fix
  • September 1, 2017 - Resolved (Not eligible for bounty — Swag awarded)

Big shout’out to my very beautiful and supportive girlfriend Agnes Janet II (jong_jong), i love you so much :-* ❤ and to my bug hunting buddy Ace Candelario (phspade) for letting me use your test accounts on creating my proof of concept (PoC).

Shout’out to my little bro Reymark Divino (reydd) and all Pinoy Bug Bounty Hunters out there :)

Cheers,

@japzdivino