In the program portal, there is an option to add external people as participants in a bug report. The admin can then remove this person as well if needed.
The request for removing an external reporter looks like:
DELETE /reports/<report_id>/external_users/<user_id> HTTP/1.1
Accept-Encoding: gzip, deflate
It was observed that by simply changing the value of
<user_id> in the above URL, it is possible to generate a delete notification for the user associated with that particular user id even though that user was never invited as a participant for that bug report in the first place.
Possible Impact(s): * Due to the above request being sent, an email gets sent via the HackerOne portal to that particular user notifying them of their removal. See screenshot 1. It is possible to send such emails on a mass scale to all HackerOne users. I haven't tried this but I think this can be done. The email originating from the HackerOne platform will look legitimate but the users will be clueless as to what caused their removal from a report to which they were never invited.