{"id": "H1:347937", "hash": "dc9976b8fd55c081fd7fc9a084163409", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "HackerOne: Team object in GraphQL that have a published external program may expose existence of a private program", "description": "**Summary:**\n\nHi Team!\n\nOn Team object the parameter \"i_cannot_create_jira_webhook_reasons\" is not NULL and gets the following default states when called for all programs [\"CANNOT_VIEW\",\"FEATURE_GATED\",\"PROGRAM_PERMISSION_REQUIRED\"]\n\nIf a Company Program runs a Private Program or a Public On the \"FEATURE_GATED\" is missing (Since the feature is not gated anymore) and therefore an attacker can find if a Company is running a private program\n\n##POC\n\n* Company \u2588\u2588\u2588\u2588\u2588\u2588 (not runnig private gives \"i_cannot_create_jira_webhook_reasons\":[\"CANNOT_VIEW\",\"FEATURE_GATED\",\"PROGRAM_PERMISSION_REQUIRED\"]\n\n* Company \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 (running private) gives \"i_cannot_create_jira_webhook_reasons\":[\"CANNOT_VIEW\",\"PROGRAM_PERMISSION_REQUIRED\"]\n\n* Even Company HackerOne (running public) gives \"i_cannot_create_jira_webhook_reasons\":[\"CANNOT_VIEW\",\"PROGRAM_PERMISSION_REQUIRED\"]\n\nAll private programs and public has an overriden \"FEATURE_GATED\" so you get the idea\n\n#Solutiion\n\nNULL the value maybe\n\nPS: Thanks to @jobert who encouraged me to search deeper after the #347383 duplicate!\n\nThanks\n**nismo**\n\n## Impact\n\nKnowing companies that run private programs on Hackerone", "published": "2018-05-06T11:52:03", "modified": "2018-07-04T05:29:18", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/347937", "reporter": "nismo", "references": [], "cvelist": [], "lastseen": "2018-07-04T10:16:44", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 0.4, "vector": "NONE", "modified": "2018-07-04T10:16:44"}, "dependencies": {"references": [], "modified": "2018-07-04T10:16:44"}, "vulnersScore": 0.4}, "objectVersion": "1.4", "bounty": 0.0, "bountyState": "resolved", "h1team": {"handle": "security", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/000/000/013/28af2ada2cc00aa9427504fc5a14f587362df84b_medium.png?1445331713", "small": "https://profile-photos.hackerone-user-content.com/000/000/013/68fea1fe00dc833f4109e015738af4b374727e56_small.png?1445331713"}, "url": "https://hackerone.com/security"}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/015/108/0b3fbdb458282dba9bb17c744bb4692390a5cb6c_small.jpeg?1456922391"}, "url": "/nismo", "username": "nismo"}, "_object_type": "robots.models.hackerone.HackerOneBulletin", "_object_types": ["robots.models.hackerone.HackerOneBulletin", "robots.models.base.Bulletin"]}

{}