HackerOne: Insecure Direct Object Reference vulnerability

ID H1:46397
Type hackerone
Reporter anshuman_bh
Modified 2015-02-20T03:07:05


In the program portal, there is an option to add external people as participants in a bug report. The admin can then remove this person as well if needed.

The request for removing an external reporter looks like:

DELETE /reports/<report_id>/external_users/<user_id> HTTP/1.1 Host: hackerone.com User-Agent: <redacted> Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-CSRF-Token: <redacted> X-Requested-With: XMLHttpRequest Referer: <redacted> Cookie: <redacted> Connection: keep-alive

It was observed that by simply changing the value of <user_id> in the above URL, it is possible to generate a delete notification for the user associated with that particular user id even though that user was never invited as a participant for that bug report in the first place.

Possible Impact(s): * Due to the above request being sent, an email gets sent via the HackerOne portal to that particular user notifying them of their removal. See screenshot 1. It is possible to send such emails on a mass scale to all HackerOne users. I haven't tried this but I think this can be done. The email originating from the HackerOne platform will look legitimate but the users will be clueless as to what caused their removal from a report to which they were never invited.

  • A malicious admin can possibly generate notifications within a bug report of removing participants which they never added which might be a little confusing to other admins/participants. See screenshot 2 where I was able to remove certain folks without inviting them. I apologize for the 2 emails that were sent out to two different HackerOne researchers accidentally. I was just testing and didn't realize that this would actually work.

Cheers! /ab