HackerOne: Manipulate report timeline activity by using null byte.

ID H1:133322
Type hackerone
Reporter siddiki
Modified 2016-07-01T18:15:02


Null bytes are not permitted in report body, or even in report title. But that can be used in the comment section of self-closing (for reporter) and change-status (for team). When a null byte is used as a comment, that report timeline activity disappears!

For example: https://hackerone.com/reports/133317 report was closed using a null byte in comment.


There is no activity log in the report details for the closing, but the report is closed.