HackerOne: Team object in GraphQL that have a published external program may expose existence of a private program
2018-05-06T11:52:03
ID H1:347937 Type hackerone Reporter nismo Modified 2018-07-04T05:29:18
Description
Summary:
Hi Team!
On Team object the parameter "i_cannot_create_jira_webhook_reasons" is not NULL and gets the following default states when called for all programs ["CANNOT_VIEW","FEATURE_GATED","PROGRAM_PERMISSION_REQUIRED"]
If a Company Program runs a Private Program or a Public On the "FEATURE_GATED" is missing (Since the feature is not gated anymore) and therefore an attacker can find if a Company is running a private program
POC
Company ██████ (not runnig private gives "i_cannot_create_jira_webhook_reasons":["CANNOT_VIEW","FEATURE_GATED","PROGRAM_PERMISSION_REQUIRED"]
Company █████████ (running private) gives "i_cannot_create_jira_webhook_reasons":["CANNOT_VIEW","PROGRAM_PERMISSION_REQUIRED"]
Even Company HackerOne (running public) gives "i_cannot_create_jira_webhook_reasons":["CANNOT_VIEW","PROGRAM_PERMISSION_REQUIRED"]
All private programs and public has an overriden "FEATURE_GATED" so you get the idea
Solutiion
NULL the value maybe
PS: Thanks to @jobert who encouraged me to search deeper after the #347383 duplicate!
Thanks
nismo
Impact
Knowing companies that run private programs on Hackerone
{"id": "H1:347937", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "HackerOne: Team object in GraphQL that have a published external program may expose existence of a private program", "description": "**Summary:**\n\nHi Team!\n\nOn Team object the parameter \"i_cannot_create_jira_webhook_reasons\" is not NULL and gets the following default states when called for all programs [\"CANNOT_VIEW\",\"FEATURE_GATED\",\"PROGRAM_PERMISSION_REQUIRED\"]\n\nIf a Company Program runs a Private Program or a Public On the \"FEATURE_GATED\" is missing (Since the feature is not gated anymore) and therefore an attacker can find if a Company is running a private program\n\n##POC\n\n* Company \u2588\u2588\u2588\u2588\u2588\u2588 (not runnig private gives \"i_cannot_create_jira_webhook_reasons\":[\"CANNOT_VIEW\",\"FEATURE_GATED\",\"PROGRAM_PERMISSION_REQUIRED\"]\n\n* Company \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 (running private) gives \"i_cannot_create_jira_webhook_reasons\":[\"CANNOT_VIEW\",\"PROGRAM_PERMISSION_REQUIRED\"]\n\n* Even Company HackerOne (running public) gives \"i_cannot_create_jira_webhook_reasons\":[\"CANNOT_VIEW\",\"PROGRAM_PERMISSION_REQUIRED\"]\n\nAll private programs and public has an overriden \"FEATURE_GATED\" so you get the idea\n\n#Solutiion\n\nNULL the value maybe\n\nPS: Thanks to @jobert who encouraged me to search deeper after the #347383 duplicate!\n\nThanks\n**nismo**\n\n## Impact\n\nKnowing companies that run private programs on Hackerone", "published": "2018-05-06T11:52:03", "modified": "2018-07-04T05:29:18", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/347937", "reporter": "nismo", "references": [], "cvelist": [], "lastseen": "2018-07-04T10:16:44", "viewCount": 10, "enchantments": {"score": {"value": 0.4, "vector": "NONE", "modified": "2018-07-04T10:16:44", "rev": 2}, "dependencies": {"references": [], "modified": "2018-07-04T10:16:44", "rev": 2}, "vulnersScore": 0.4}, "bounty": 0.0, "bountyState": "resolved", "h1team": {"handle": "security", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/000/000/013/28af2ada2cc00aa9427504fc5a14f587362df84b_medium.png?1445331713", "small": "https://profile-photos.hackerone-user-content.com/000/000/013/68fea1fe00dc833f4109e015738af4b374727e56_small.png?1445331713"}, "url": "https://hackerone.com/security"}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/015/108/0b3fbdb458282dba9bb17c744bb4692390a5cb6c_small.jpeg?1456922391"}, "url": "/nismo", "username": "nismo"}, "immutableFields": []}