HackerOne: View Any Program's Team Members through GET https://hackerone.com/invitations/

ID H1:283014
Type hackerone
Reporter nickcas
Modified 2017-11-01T21:45:31


@nickcas discovered that it was possible to view all the team members of a program through a JSON response that is sent when a user is invited to collaborate on a report (via the /invitations/<token> endpoint). He was able to provide a very clear PoC, which consisted of a list showing all the members of the HackerOne security program. We resolved the issue by removing the unneeded information from the response in the case of collaboration requests.