Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneNagliH1:2524939
HistoryMay 29, 2024 - 2:51 p.m.

HackerOne: [Spot Check] - Ability to disclose metadata about Spot Checks (Number of Hackers + Hackers Criteria) via "SpotCheckSingleQuery"

2024-05-2914:51:24
nagli
hackerone.com
12
hackerone
metadata leakage
confidential information
bugbounty
ui
program perspective
disclosure
metadata
criteria
spot check
remediation

6.8 Medium

AI Score

Confidence

Low

JSON

Summary:

Hackers are able to leak private metadata about Spot Checks (num of hackers, total budget, criteria of selection.

Description:
When accepting Spot Check, we are able to see the program who requested it, the budget and the description in the UI.

While navigating to the Spot Check page from Program Perspective, and adding the ID URI such as

https://hackerone.com/organizations/████/spot_checks/██████

I was able to open the Spot Check settings as a program, which leaked metadata that should be confidential such as:

████

Specifically Number of Hackers and the Hackers Selection Criteria.

The leak occurs at the SpotCheckSingleQuery parameter.

{"operationName":"SpotCheckSingleQuery","variables":{"id":"████████","product_area":"spot_checks","product_feature":"view"},

Steps To Reproduce

On a program view, navigate to https://hackerone.com/organizations/█████████/spot_checks/█████████, and change your spot_checks ID to the one you are onboarded to.

Remediation

Do not return the extra metadata that is rendered from program view.

Best,

@nagli

Impact

Ability to fetch extra confidential metadata on Spot checks.

6.8 Medium

AI Score

Confidence

Low

JSON