Open in app

Sign in

Write

Sign in

Security teams Internal attachments can be exported via “Export as .zip” feature on HackerOne

Japz Divino
Pinoy White Hat
Published in
4 min readOct 17, 2018

Severity: High (7.5)
Weakness: Information Disclosure (CWE-200)
Bounty: $12,500

Hello Internet, this blog is about my findings on HackerOne’s own bug bounty program in late 2016, a simple information disclosure in which the HackerOne team decided to reward the highest bounty amount in a single hit/submission so far on their own bug bounty program due its business impact.

Research:

When a program has publicly disclosed a report on HackerOne, the platform supports two kinds of disclosure, Full disclosure and limited disclosure. A Full disclosure (normal disclosure) includes vulnerability information, attachments, and the full timeline of activity. However, a limited disclosure restricts visibility to a summary of the vulnerability and the timeline of activity (comments or actions).

On November 14, 2016 HackerOne releases an awesome feature which the ability to export the disclosed report, you can export the report using View raw text or Export as .zip

View raw text — This will show a text area where you can copy and paste the report timeline.

Export as .zip — This will allow you to download the complete report (including attachments) as a zip archive.

Popup modal when you try to export the report as raw text or .zip file in hackerone

Findings / Submission

I saw this new feature on the platform 3 days after released, it is a bit late to test it but I tried. November 17 and the first thing I did was to export a report with redacted text and see if I can be able to see the redacted text on the raw text file, but no luck!, so I stopped my research.

November 29, 2016, while visiting on HackerOne hacktivity timeline I saw a newly disclosed report about the new export features of HackerOne, which the security researcher @faisalahmed found that he could still view the redacted text on the report when he exported it using the View raw text, What ??? really? I was shocked because this is the same thing I tested, so I was wondering why I didn’t see the bug that @faisalahmed submitted, after reading the summary of his report https://hackerone.com/reports/182358, it seems he found the bug within 24 hours after HackerOne released it, and now I understand because I’m 3 days late to test it :(

So I thought I was not lucky :( and out of nowhere. I pressed the export button of his report #182358 and exported it as a .zip file to include everything on the report because I just wanted to see if his bug was really fixed.

When I extracted the zip and opened it, I saw a text file and an image file, i opened the text file and verified that the bug he submitted is really fixed now, but wait.. what is the image file? , I opened it and saw that the image seems a screenshot used for PoC on the report, but I didn’t see that image when I was reading the report, and I remember that @faisalahmed had a comment requesting to remove some screenshots on the report.

researcher asking to remove the PoC image for privacy purposes

If I am not mistaken, the image I saw on the exported file is the image that @faisalahmed requested to be removed.

I immediately reported it to HackerOne using a very simple step below:

Steps to reproduce:

  1. Go to https://hackerone.com/reports/182358 (@faisalahmed’s report)
  2. Export the report as .zip
  3. Now extract the .zip file (HackerOne_Report-security#182358.zip)
  4. You will see that the image is still there, but base on the thread, hackerone team removed the image on disclosed report as requested by the researcher.

After 12 minutes of filing the report, HackerOne team confirmed the vulnerability and triaged it:

After 20 minutes of triaging the report, HackerOne released the fixed in production:

Finally, after 2 days of resolving the issue, HackerOne’s own bug bounty program was rewarded the highest bounty in a single hit so far:

Fixed

Now when you export any report in which the attachments are removed, you will not be able to see those attachments in the zip file, only the raw text file of the report submission

Disclosure Timeline

  • 2016–11–29 03:04:52 — Report submitted to HackerOne security team.
  • 2016–11–29 03:16:36 — The security team acknowledge and Triage the report
  • 2016–11–29 04:36:34 — Bug fixed and released to production
  • 2016–11–29 04:59:23 — Researcher verified the fixed.
  • 2016–11–30 09:15:51 — $12,500 Bounty and swag rewarded.

Original submission reference: Internal attachments can be exported via “Export as .zip” feature

@japzdivino

Security
Bug Bounty
Hackerone
Responsible Disclosure

--

--

Pinoy White Hat
Pinoy White Hat

Published in Pinoy White Hat

280 Followers
Last published Jun 19, 2024

Publication contains write-up from different Filipino white hat hackers.

Japz Divino
Japz Divino

Written by Japz Divino

824 Followers
141 Following

OSCP | HTB CCBH | Bug Bounty Hunter

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams