Security teams Internal attachments can be exported via “Export as .zip” feature on HackerOne

Hello Internet, this blog is about my findings on hackerone own bug bounty program late 2016, a simple information disclosure which hackerone team decided to reward the highest bounty amount in a single hit/submission so far on their own bug bounty program due it’s business impact.

Severity: High (7.5)
Weakness: Information Disclosure
(CWE-200)

Research:

When a program has publicly disclosed a report on HackerOne, the platform supports two kinds of disclosure, Full disclosure and limited disclosure. A Full disclosure (normal disclosure) includes vulnerability information, attachments, and the full timeline of activity. But a limited disclosure restricts visibility to a summary of the vulnerability and the timeline of activity (comments or actions).

On November 14, 2016 HackerOne releases an awesome feature which the ability to export the disclosed report, you can export the report using View raw text or Export as .zip

View raw text — This will show a text area where you can copy and paste the report timeline.

Export as .zip — This will allow you to download the complete report (including attachments) as a zip archive.

Popup modal when you try to export the report as raw text or .zip file in hackerone

Findings / Submission

I saw this new feature on the platform 3 days after released, it is a bit late to test it but i tried.. November 17 and the first thing i did is to export a report with redacted text and see if i can be able to see the redacted text on the raw text file, but no luck!, so i stop my research.

November 29, 2016 while visiting on hackerone hacktivity timeline i saw a newly disclosed report about the new export features of hackerone which the security researcher @faisalahmed found that he can still view the redacted text on the report when he export it using the View raw text, What ??? really ? I was shocked because this is the same thing i tested, so i was wondering why i didn’t see the bug that @faisalahmed submitted, and after reading the summary his report https://hackerone.com/reports/182358, it seems he found the bug within 24 hours after hackerone released it, and now i understand because I’m 3 days late to test it :(

So i thought I’m not lucky :( and out of nowhere.. i press the export button of his report #182358 and exported it as zip file to include everything on the report because i just wanted to see if his bug is really fixed.

When i extracted the zip and open it, i saw a text file and an image file, i open the text file and verified that the bug he submitted is really fixed now, but wait.. what is the image file ? , I open it and see that the image seems a screenshot used for PoC on the report, but i didn’t see that image when i am reading the report, and i remember that faisalahmed have a comment requesting to removed some screenshot on the report.

And if i am not mistaken, the image i saw on the exported file is the image which faisalahmed requested to removed.

I immediately reported it to HackerOne using a very simple step below:

Steps to reproduce:

  1. Go to https://hackerone.com/reports/182358 (faisalahmed’s report)
  2. Export the report as .zip
  3. Now extract the .zip file (HackerOne_Report-security#182358.zip)
  4. You will see that the image is still there, but base on the thread, hackerone team removed the image on disclosed report as requested by the researcher.

After 12 minutes of filing the report, hackerone team confirmed the vulnerability and triage it:

And after 20 minutes of triaging the report, hackerone released the fixed in production:

Finally, after 2 days resolving the issue, hackerone’s own bug bounty program was rewarded the highest bounty in a single hit so far:

Fixed

Now when you export any report which the attachments are removed, you will not be able to see those attachment in the zip file, only the raw text file of the report submission

Disclosure Timeline

  • 2016–11–29 03:04:52 — Report submitted to HackerOne security team.
  • 2016–11–29 03:16:36 — Security team acknowledge and Triage the report
  • 2016–11–29 04:36:34 — Bug fixed and released to production
  • 2016–11–29 04:59:23 — Researcher verified the fixed.
  • 2016–11–30 09:15:51 — $12,500 Bounty and swag rewarded.

Original submission reference: Internal attachments can be exported via “Export as .zip” feature