HackerOne: GraphQL field on Team node can be used to determine if External Program runs invite-only program

2020-05-19T01:47:50
ID H1:877642
Type hackerone
Reporter kunal94
Modified 2020-07-25T01:13:57

Description

On 19th May, A new parameter policy_markdown_html been introduced inside the team Graphql query. Using Graphql query, We can able to determine External program running privately on Hackerone as policy_markdown_html parameter was able to fetch private internal policy.

[Note: Using this parameter, it was also possible to determine any left private program's policy]

GRAPHQL TEAM QUERY

Request

query{ team(handle:"example") //handle - Program running externally or left private program's handle { name policy_markdown_html } }

Response json { "data": { "team": { "name": "example test", "policy_markdown_html": "No Technology is perfect and example believes that working with skilled security researchers............" } } }

There were 3 different conditions which I explained in this report:-

  • Condition 1 - When an external program doesn't have any policy defined, policy_markdown_html will be null.

  • Condition 2- When an external program has defined policy but not running a private program internally, policy_markdown_html will fetch the same policy on the mentioned front-end page.

  • Condition 3- When an external program has defined policy but running privately, policy_markdown_html will fetch internal policy and different from public policy.

On 26th June, patchwork was completed and the report was successfully resolved after doing retest.

I would like to thank Hackerone Team for resolving this issue. :)