Lucene search

K
hackeroneHillybot__H1:2323303
HistoryJan 17, 2024 - 12:00 p.m.

HackerOne: Program admins could add verified domains to an organization

2024-01-1712:00:37
hillybot__
hackerone.com
11
hackerone
organization
domain verification
privilege escalation
bug bounty
bypass

7.2 High

AI Score

Confidence

High

in hackerone according to the documentation https://docs.hackerone.com/en/articles/8490190-domain-verification only an organization admin could add verified domain .but there is an bypass.

steps to reproduce:

  1. create an sandbox
    2.remove org admin permission(you must add program admin permission before removing org admin)
  2. go to the url
    https://hackerone.com/<program you are admin of>/domain_ownerships/new
    4.from there you will be able to add verified domain in the org

Impact

access of restricted feature
privilage escalation

7.2 High

AI Score

Confidence

High