Graphic by Archie Yuzon

How I Was Able To See The Bounty Balance Of Any Bug Bounty Program In HackerOne

Good day everyone!

Today. I will proudly share to you, how I found a bug in HackerOne that reveals the bug bounty program’s balance without escalating user’s privilege.

To begin, I will tell you that I am originally looking for a bug that will allow me to comment on a disclosed report. But when I checked the HTTP Request via Chrome’s Developer Mode, I found something that caught my attention:

Request:

GET /reports/240273.json HTTP/1.1
Host: hackerone.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Referer: https://hackerone.com/bugs?subject=user&report_id=238941&view=all&substates%5B%5D=pre-submission&substates%5B%5D=new&substates%5B%5D=triaged&substates%5B%5D=needs-more-info&substates%5B%5D=resolved&substates%5B%5D=informative&substates%5B%5D=not-applicable&substates%5B%5D=duplicate&substates%5B%5D=spam&reported_to_team=&text_query=&program_states%5B%5D=2&program_states%5B%5D=3&program_states%5B%5D=4&program_states%5B%5D=5&sort_type=latest_activity&sort_direction=descending&limit=25&page=1
X-Requested-With: XMLHttpRequest
Connection: close

Response:

HTTP/1.1 200 OK
Date: Tue, 28 Nov 2017 20:33:14 GMT
Content-Type: application/json; charset=utf-8
Connection: close
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Disposition: inline; filename="response.json"
Content-Security-Policy: default-src 'none'; base-uri 'self'; connect-src 'self' www.google-analytics.com errors.hackerone.net; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src www.youtube-nocookie.com; img-src 'self' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com profile-photos.hackerone-user-content.com hackerone-attachments.s3.amazonaws.com; media-src 'self' hackerone-attachments.s3.amazonaws.com; script-src 'self' www.google-analytics.com; style-src 'self' 'unsafe-inline'; report-uri https://errors.hackerone.net/api/30/csp-report/
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: DENY
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block
Server: cloudflare-nginx
CF-RAY: 3c5019db6afc60ae-MNL
Content-Length: 9669
{"id":240273,"url":"https://hackerone.com/reports/240273","title":"Possible Unsubscribing any Subscribed Email in https://ma.hacker.one/UnsubscribePage.html","state":"Closed","substate":"duplicate","severity_rating":"none","readable_substate":"Duplicate","created_at":"2017-06-15T16:57:36.209Z","reporter":{"disabled":false,"username":"cjlegacion","url":"/cjlegacion","profile_picture_urls":{"small":"https://profile-photos.hackerone-user-content.com/production/000/085/516/e2e8fec8cd989093705ee650bb427da37486ea90_small.jpg?1500409739"},"is_me?":true,"hacker_mediation":true},"team":{"id":13,"url":"https://hackerone.com/security","handle":"security","profile_picture_urls":{"small":"https://profile-photos.hackerone-user-content.com/production/000/000/013/68fea1fe00dc833f4109e015738af4b374727e56_small.png?1445331713","medium":"https://profile-photos.hackerone-user-content.com/production/000/000/013/28af2ada2cc00aa9427504fc5a14f587362df84b_medium.png?1445331713"},"permissions":[],"default_currency":"usd","awards_miles":false,"state":"public_mode","program_health_enabled":true,"profile":{"name":"HackerOne","twitter_handle":"Hacker0x01","website":"https://hackerone.com","about":"Vulnerability disclosure should be safe, transparent, and rewarding."}},"has_bounty?":false,"in_validation?":false,"rejected_anc_report_that_can_be_sent_back_to_anc_triagers?":false,"can_view_team":true,"is_external_bug":false,"is_participant":true,"stage":3,"public":false,"visibility":"private","cve_ids":[],"singular_disclosure_disabled":true,"disclosed_at":null,"bug_reporter_agreed_on_going_public_at":null,"team_member_agreed_on_going_public_at":null,"comments_closed?":false,"vulnerability_information":"Hello HackerOne,\n\nI found that if the attacker are going to unsubscribe his/her email in the subscription list \n\n### Steps To Reproduce\n\n1. Go to https://www.hackerone.com/zerodaily/ and subscribe your email\n2. Wait for the email and Check the word \"Unsubscribe\" in email\n3. Now you are going to get an URL Link:https://ma.hacker.one/UnsubscribePage.html?mkt_unsubscribe=1\u0026mkt_tok=*\n4. Even the attacker are going to delete the parameter \"mkt_tok\" it's still able to put an email and unsubcribe the target email\n\nKindly check the attached photo\n\nThanks,\nCj Legacion\n","vulnerability_information_html":"\u003cp\u003eHello HackerOne,\u003c/p\u003e\n\n\u003cp\u003eI found that if the attacker are going to unsubscribe his/her email in the subscription list \u003c/p\u003e\n\n\u003ch3 id=\"steps-to-reproduce\"\u003eSteps To Reproduce\u003c/h3\u003e\n\n\u003col\u003e\n\u003cli\u003eGo to \u003ca title=\"https://www.hackerone.com/zerodaily/\" href=\"/redirect?signature=4b8feec9f3a061cff971be82417f622694e9baba\u0026amp;url=https%3A%2F%2Fwww.hackerone.com%2Fzerodaily%2F\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"\u003e\u003cspan\u003ehttps://www.hackerone.com/zerodaily/\u003c/span\u003e\u003ci class=\"icon-external-link\"\u003e\u003c/i\u003e\u003c/a\u003e and subscribe your email\u003c/li\u003e\n\u003cli\u003eWait for the email and Check the word \u0026quot;Unsubscribe\u0026quot; in email\u003c/li\u003e\n\u003cli\u003eNow you are going to get an URL Link:\u003ca title=\"https://ma.hacker.one/UnsubscribePage.html?mkt_unsubscribe=1\u0026amp;mkt_tok=*\" href=\"/redirect?signature=4523826e173df9b36c7a94849905f85c55ec252b\u0026amp;url=https%3A%2F%2Fma.hacker.one%2FUnsubscribePage.html%3Fmkt_unsubscribe%3D1%26mkt_tok%3D%2A\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"\u003e\u003cspan\u003ehttps://ma.hacker.one/UnsubscribePage.html?mkt_unsubscribe=1\u0026amp;mkt_tok=*\u003c/span\u003e\u003ci class=\"icon-external-link\"\u003e\u003c/i\u003e\u003c/a\u003e\n\u003c/li\u003e\n\u003cli\u003eEven the attacker are going to delete the parameter \u0026quot;mkt_tok\u0026quot; it\u0026#39;s still able to put an email and unsubcribe the target email\u003c/li\u003e\n\u003c/ol\u003e\n\n\u003cp\u003eKindly check the attached photo\u003c/p\u003e\n\n\u003cp\u003eThanks,\u003cbr\u003e\nCj Legacion\u003c/p\u003e\n","weakness":{"id":12,"name":"Array Index Underflow"},"original_report_id":225627,"original_report_url":"https://hackerone.com/reports/225627","attachments":[{"id":194617,"file_name":"PossibleUnsubscribingTargetEmail1.png","expiring_url":"https://hackerone-attachments.s3.amazonaws.com/production/000/194/617/fb153cb18f55ba9fb45dcbf125b195e2be9e523d/PossibleUnsubscribingTargetEmail1.png?X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Credential=ASIAJYQ7TICTUZIISV2Q%2F20171128%2Fus-east-1%2Fs3%2Faws4_request\u0026X-Amz-Date=20171128T203313Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=FQoDYXdzEKr%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDGPgOqGbwjAq%2Bu0jCyK3A%2FaUXmC9H8EKubiokU3lDumFQZtDp77H6DaZxKahUYXX5cYhrxRv5m0kUqVBfnHQgq4JWZnQtKE6FEJNf4RzLaN4NPbhhrKRAMWrqiskcDToWRBeAun1M5Yse3viPWqKY5kO%2FsSC7tzn5U78TP%2By18rK4jhoVsAu7q3RlqOCMWXltdeccKT96smYgJ6QmazLJ3NifvaSWj%2BtcVXpBNwszq7BdOLNLEqEH7izbBJF0g8SPS%2F36qPAAdO53sNvX6gmOfFaI5hhK9PPEKtM5J4t7Pn447g8O3aPiUdSfFeGyh%2BsQW%2FoDb5BFkz68SYpqWCRhOXGnoRsX%2BjmkKkECBrAckE2xdT79MK%2Brq3LePXNeWW2jujW8EHMefCmcuxutAUjLfjb%2FlDiCbytnjifXZWP8cpdK9yec5x6%2BHrtJ%2BauXffVtkIlg1NfiLk7ST98WNVmSGdUj1t6VViWx1ySHCdkEnKv7hn8Mnt499E0VAlUoUPKVwMZeQTXJ3yI%2B4caqguZrVxLHNRjPoX%2FaEQGEDcQfSHbTWQ%2FtLZzfxFYf7MReIX5%2FQPQPe20qOtv%2Bo%2F2jGdN704eipgCdEYok5320AU%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=b2c9c2c0dd4235de7d6b0b97270d3760ecb2a59b578bb18ff1ae38b12fbd0b78","type":"image/png"},{"id":194618,"file_name":"PossibleUnsubscribingTargetEmail.png","expiring_url":"https://hackerone-attachments.s3.amazonaws.com/production/000/194/618/403a5c7e9e41256491665c07e4f34b0271a52796/PossibleUnsubscribingTargetEmail.png?X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Credential=ASIAJYQ7TICTUZIISV2Q%2F20171128%2Fus-east-1%2Fs3%2Faws4_request\u0026X-Amz-Date=20171128T203313Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=FQoDYXdzEKr%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDGPgOqGbwjAq%2Bu0jCyK3A%2FaUXmC9H8EKubiokU3lDumFQZtDp77H6DaZxKahUYXX5cYhrxRv5m0kUqVBfnHQgq4JWZnQtKE6FEJNf4RzLaN4NPbhhrKRAMWrqiskcDToWRBeAun1M5Yse3viPWqKY5kO%2FsSC7tzn5U78TP%2By18rK4jhoVsAu7q3RlqOCMWXltdeccKT96smYgJ6QmazLJ3NifvaSWj%2BtcVXpBNwszq7BdOLNLEqEH7izbBJF0g8SPS%2F36qPAAdO53sNvX6gmOfFaI5hhK9PPEKtM5J4t7Pn447g8O3aPiUdSfFeGyh%2BsQW%2FoDb5BFkz68SYpqWCRhOXGnoRsX%2BjmkKkECBrAckE2xdT79MK%2Brq3LePXNeWW2jujW8EHMefCmcuxutAUjLfjb%2FlDiCbytnjifXZWP8cpdK9yec5x6%2BHrtJ%2BauXffVtkIlg1NfiLk7ST98WNVmSGdUj1t6VViWx1ySHCdkEnKv7hn8Mnt499E0VAlUoUPKVwMZeQTXJ3yI%2B4caqguZrVxLHNRjPoX%2FaEQGEDcQfSHbTWQ%2FtLZzfxFYf7MReIX5%2FQPQPe20qOtv%2Bo%2F2jGdN704eipgCdEYok5320AU%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=06ddc03b66fc3de4980d490b5bb11a09bf55846d6baec118ef5e9e6b23199f28","type":"image/png"}],"severity":{"rating":"none","author_type":"User"},"structured_scope":{"databaseId":3,"asset_type":"URL","asset_identifier":"https://hackerone.com","max_severity":"critical"},"abilities":{"can_manage?":false,"can_export?":false,"can_add_comment?":true,"can_change_state?":false,"can_reopen?":false,"can_award_bounty?":false,"can_award_swag?":false,"can_suggest_bounty_amount?":false,"can_assign_to_user?":false,"can_hide_timeline?":false,"can_agree_on_going_public?":true,"can_be_publicly_disclosed?":false,"can_post_internal_comments?":false,"can_manage_common_responses?":false,"can_use_common_responses?":false,"can_reassign_to_team?":false,"can_change_title?":false,"can_change_weakness?":false,"can_be_manually_disclosed?":false,"can_clone?":false,"can_close?":false,"can_ban_researcher?":false,"can_create_severity?":false,"can_close_comments?":false,"can_change_structured_scope?":false,"can_manage_collaborators?":false,"can_view_bounty_weights?":true,"can_redact?":false,"assignable_team_members":[],"assignable_team_member_groups":[]},"is_member_of_team?":false,"activities":[{"id":1759787,"is_internal":false,"editable":false,"type":"Activities::BugDuplicate","message":"Hi [@cjlegacion](/cjlegacion),\n\nThis is a duplicate of #225627.\n\nCheers!","markdown_message":"\u003cp\u003eHi \u003ca href=\"/cjlegacion\"\u003e@cjlegacion\u003c/a\u003e,\u003c/p\u003e\n\n\u003cp\u003eThis is a duplicate of \u003ca href=\"/reports/225627\"\u003e#225627\u003c/a\u003e.\u003c/p\u003e\n\n\u003cp\u003eCheers!\u003c/p\u003e\n","automated_response":false,"created_at":"2017-06-15T22:30:57.230Z","updated_at":"2017-06-15T22:30:57.230Z","original_report_id":225627,"actor":{"username":"asuka","url":"/asuka","profile_picture_urls":{"medium":"https://profile-photos.hackerone-user-content.com/production/000/111/923/c73a42c0f9ea47ce5554fbab2411978f2bb985f8_medium.jpg?1474068574"}},"genius_execution_id":null,"team_handle":"security"},{"id":1760238,"is_internal":false,"editable":false,"type":"Activities::Comment","message":"hello [@asuka](/asuka),\n\nCan i filed a duplicate report in #225627 ?\n\nThanks","markdown_message":"\u003cp\u003ehello \u003ca href=\"/asuka\"\u003e@asuka\u003c/a\u003e,\u003c/p\u003e\n\n\u003cp\u003eCan i filed a duplicate report in \u003ca href=\"/reports/225627\"\u003e#225627\u003c/a\u003e ?\u003c/p\u003e\n\n\u003cp\u003eThanks\u003c/p\u003e\n","automated_response":false,"created_at":"2017-06-16T04:06:49.938Z","updated_at":"2017-06-16T04:06:49.938Z","actor":{"username":"cjlegacion","url":"/cjlegacion","profile_picture_urls":{"medium":"https://profile-photos.hackerone-user-content.com/production/000/085/516/d7206b4f9856baf1f3f8d30cf1650fe3f55b9bca_medium.jpg?1500409739"}},"genius_execution_id":null,"team_handle":"security"}],"activity_page_count":1,"activity_page_number":1,"summaries":[{"category":"team","can_view?":true,"can_create?":false},{"category":"researcher","can_view?":true,"can_create?":true}]}

As you can see on the request, there’s a parameter name “can_award_bounty? and “can_award_swag?” and having a value of “false” . If you’re on my side the first parameter you are going to test is “can_award_bounty?” right ?

Let’s proceed, After i tried to change the value of parameter name “can_award_bounty?” from “false” to “true”. I didn’t got any good response to award a bounty on the report that i saw.

By that time, I thought that i really don’t had a good knowledge to find a bug in HackerOne. But after spending 10–15 minutes of checking the HackerOne site . I saw the same request while checking my own reports. By that time i realized that if you are a “Member of a Team” that giving a bounty on a valid report you will be able to set the amount that you want to award for it.

Because of that, I repeat what i did on the other report by change the parameter name “can_award_bounty?” from “false” to “true” and it showing a very interesting endpoint that will make me “RICH” Lol

Also because of that i feel that i’m gonna be rich, So i started check what i can get by using that.

Request:

Response:

As you can see on the response it’s showing

{"flash":"You have successfully awarded a bounty.","reports":[]}

and it makes me feel

But wait, after the page reloaded it’s not showing that the report was rewarded. So the response is just a response

But because of the interesting response. I just repeat the request via “Repeater” using “Burp Suite” and adding a value on the parameter name “bounty_balance” and accidentally found a response that will change my mood to “sad” to “WTF”

Request:

Response:

It showing an error

{"flash":null,"reports":[{"errors":[""Validation failed: insufficient funds to award this bounty."]}]}

So by that i was able to check the exact bounty balance of the program that i want to check. But there’s something bothering me. Why ? Because it’s just a bounty balance of the program and “What is the security impact here?” . So i started asking to Root Access and Sean (zseano) . If it was a really security vulnerability(Lol) and if the HackerOne will accept this kind of bug.

After getting a response from @zseano that the bug i found is acceptable . I urgently report it and in just a 30 seconds it was triage by @jobertabma.

But sometimes bad luck will be always there and the bug i found was a duplicate just a 22 hours away from the first reporter it’s #293299. It makes me upset but because of my report is “well written” said by @jobertabma. It was rewarded a “Swag” also it was the only thing on my mind while creating the report in HackerOne Program.

So for someone didn’t understand how i am found this bug . This is a video that i can share on this blog. Before you watch it i want to say sorry for this Video POC because it was a 5 minutes video.

This vulnerability might be currently fixed by HackerOne. But always remember that even you always getting duplicate on your report’s doesn’t mean you didn’t got a reward . The reward here that you are able to claim is a knowledge/skill that you can use for your future penetration testing on the other application that you will test/use.

Kindly share if you like my first write-up. Also if there’s something wrong about this write-up just comment below. Also follow me on my Twitter Account for more write-up’s Thanks!

Web Security Researcher,
Cj Legacion

Graphic by Archie Yuzon