HackerOne: Internal attachments can be exported via "Export as .zip" feature

2016-11-29T03:04:52
ID H1:186230
Type hackerone
Reporter japz
Modified 2016-11-30T09:18:19

Description

Hello HackerOne Team

This newly disclosed report: #182358 Partial disclosure of report activity through new "Export as .zip" feature was not completely fix.

I have found that i can still view the attachment after it is being removed on the thread.

Best PoC is this #182358 since this is the newly fix and disclosed.

Steps to reproduce

  1. Go to https://hackerone.com/reports/182358
  2. Export the report as .zip
  3. Now extract the .zip file (HackerOne_Report-security#182358.zip)
  4. You will see that the image is still there, but base on the thread, you guys removed it on disclosed report.

I have attached the .zip file downloaded and save on my local and i can still view the removed image.

Disclosed partially removed attachment: {F138022}

Regards Japz