HackerOne: Manipulate report timeline activity by using null byte.

2016-04-20T20:06:30
ID H1:133322
Type hackerone
Reporter siddiki
Modified 2016-07-01T18:15:02

Description

Null bytes are not permitted in report body, or even in report title. But that can be used in the comment section of self-closing (for reporter) and change-status (for team). When a null byte is used as a comment, that report timeline activity disappears!

For example: https://hackerone.com/reports/133317 report was closed using a null byte in comment.

{F88258}

There is no activity log in the report details for the closing, but the report is closed.