Harvesting all private invites using leave program fast-tracked invitation and security@ email forwarding feature
Severity: Medium (6.1)
Weakness: Business Logic Errors (CWE-840)
Summary:
I have found a way that it is possible to harvest all private HackerOne invitation using the Leave Program feature together with the Security@ email forwarding feature without any user interaction.
First, when the program activated the security@
email forwarding feature on hackerone and the hacker sent an email to company configured security email (e.g security@company.com)
, hackerone system will send an automated email invitation token (link) to hackers and this invitation will allow the hackers to join and become a participants of private program. (see image below)
Now, hackers can choose to leave the program in exchange of another automated invite when the hackers filled-up the leave program survey form using the new Leave Program functionality. (see image below)
Exploitation — HackerOne will do it for you fully automated without any user interaction
Steps To Reproduce
Assumes that you don’t have any invites (as in 0 invites)
- First step you have to find program with
security@
email forwarding enabled on hackerone, this is easy just go to https://hackerone.com/bug-bounty-programs, click all the program and send a test email to their declaredsecurity at
email on their public page, if you received an email invitation to submit your bug, then that meanssecurity@
is activated for that private program. - Take the private program email address configured for email forwarding feature
(e.g security@companyname.com or hackerone@companyname.com)
- Lets take
security@companyname.com
, assuming that the h1 private program are using that email forwarding address. Send a test mail to that address. - You will received an invitation email via
security@
email forwarding feature (like the first screenshot above). - Click the Submit Vulnerability , you are now a participants.
- Now leave the program and fill-up the leave survey then confirm leave.
- You’ll be fast-tracked for invites, invitation will come most likely arriving in the next 24 hours as stated. (like the 2nd screenshot above)
- REPEAT STEP 2 to 7 after getting a new invite came from fast-tracked invites.
This is actually easy to exploit using the logical flow below:
Impact
An attacker can harvest all private invitation without any user interaction, in a matter of few months you can have 100+ private invitation by just daily repeating the steps i provided above.
INVITES ALL YOU CAN :)
Fixed
Now when someones leaves a program that they got access to through the hackerone email forwarding feature they won’t receive an invitation to another program anymore.
Disclosure Timeline
- 2018–04–06 11:26:21 — Report submitted to HackerOne security team.
- 2018–04–11 16:58:42 — Security team acknowledge and Triage the report
- 2018–04–11 21:34:50 — $2,500 Bounty and swag rewarded.
- 2018–04–17 19:53:34 — Bug fixed and released to production
Original submission reference: Harvesting all private invites using leave program fast-tracked invitation and security@ email forwarding feature
Shout’out to all Pinoy Bug Bounty Hunters out there! :)
Cheers!
Japz
https://twitter.com/japzdivino