Bypass HackerOne 2FA requirement and reporter blacklist

Severity: Medium (5.0) — High (7.1)
Weakness: Improper Authorization
Bounty: $10,000

Summary:

First, the initial submission got a bounty of $2,500. But while HackerOne was doing their Root Cause Analysis (RCA) of my report submission, they have stumbled upon another vulnerability with High severity.

Since my submission gives them a nudge in the right direction, they rewarded me another $7,500 for the increase scope of finding.

Research:

My routine when i am hunting on HackerOne main platform is always checking if they have new incoming feature, And i saw that there is beta feature called Embedded Submission Form which enables hackers to Anonymously submit reports without having to create an account on HackerOne. For additional information. Learn more here.

Now, with that new feature i have found an Improper Authorization bug that bypasses the 2 security features of HackerOne for the bug bounty programs.

1. Bypass 2FA requirements when submitting new reports to a program. Learn more here.
2. Bypass hacker blacklisted by a program (when a program does not want to receive report from specific hackers). Learn more here.

Bypass 2FA requirements when submitting new reports to a program

A program owner can enforce the hackers to setup the two-factor authentication before submitting new reports to their program here: https://hackerone.com/<program>/submission_requirements (see below image)

Enabled 2FA requirements

The Parrot Sec program has this feature enabled to enforce the hackers to setup 2FA before submitting reports. I removed my 2FA in my account to test and it is good that i was block from submitting new reports (see below image)

2FA required by the program before submitting new reports.

Now i was able to bypass this 2FA setup requirements by using the Parrot Sec program Embedded Submission Form.

Steps to reproduce:

1. Login to your account and remove your 2FA on your account (if you already setup it)
2. Now go to https://hackerone.com/parrot_sec and hit Submit Report button, observed that you cannot submit report unless you will enable your 2FA.
3. BYPASS: Get the Embedded Submission URL on their policy page: i get this > https://hackerone.com/<redacted_UUID>/embedded_submissions/new
4. Now submit report using that embedded submission form and you can submit reports without setting-up your 2FA, despite the program enforce the user to setup the 2FA before submitting new reports.
5. 2FA requirements successfully bypassed!

Impact

Users can still submit a report to a program despite the program owner require a 2FA enabled to account before hacker can submit reports.

Bypass Hacker Blacklisted to a program

If a hacker’s behavior is out of sync with what is outlined on bug bounty program Security Page, or if they’ve violated part of the HackerOne Code of Conduct, program owners can take action to ban hackers from participating in their program. BBP program owners can ban hackers from both private and public programs. (see below image), For additional information.. Learn more here.

Program blacklisting hackers.

So i ask a good friend of mine Ace Candelario (phspade) to ban my h1/japz account on HackerOne Parrot Sec program from submitting a new report, btw he is the Philippine Ambassador of Parrot Security and one of the Triager in Parrot Sec hackerone program. After banning my account i try to submit a report and clicking on the submit report button redirects me to Page not found error page (see below).

Error page when you are banned to specific program and try to submit a report.

It’s good, the reason why i cannot submit a new report is because i am banned/black-listed on the parrot sec program. :)

But using the same steps to reproduce on my first bypass above (Bypassing 2FA requirements), I was able to submit a new report to the bbp program despite i am already banned.

Impact

Malicious user can still submit a report as many as he/she want despite the program owner banned/black-list the hackers.

Note: This second bypass have turns out to have the same root cause of the first bypass above, therefore it was closed as duplicate of my first report #418767.

HackerOne Co-Founder Jobert closed the report as duplicate because it has the same root cause of the first bug mentioned above.

Disclosure Timeline

• 2018–10–04 02:41:19 — Report submitted to HackerOne security team.
• 2018–10–05 20:07:59 — Security team acknowledge and Triage the report
• 2018–10–05 20:53:21 — $10,000 Bounty rewarded.
• 2018–10–06 00:38:15 — Fix for the High severity bug released to production, while the initial submission (Medium) was still ongoing fix.
• 2018–10–25 23:11:03 — Fix for Medium severity bug that is initially reported was released to production
• 2018–10–25 23:11:03 —Status: Resolved

Original submission reference: Hacker can bypass 2FA requirement and reporter blacklist through embedded submission form

Shout’out to all Pinoy Bug Bounty Hunters out there! :)

Cheers!
Japz
https://twitter.com/japzdivino
https://www.facebook.com/pinoywhitehat