HackerOne: Minimum bounty of a private program is visible for users that were removed from the program

2015-10-17T04:45:49
ID H1:94336
Type hackerone
Reporter coolboss
Modified 2015-10-21T12:48:38

Description

Hello,

Privileged information is getting leaked to an unauthorized user in the json response of https://hackerone.com/reports/<report id>.json.

In a team there can be many members, also roles are defined. But an x-member of the team is getting information which should not be visible to him. (As I tested it on sandboxed team but it i believe it is also affecting other private programs )

Proof Of Concept :

  1. UserA is part of TeamA.
  2. UserA creates a test report.
  3. Now, UserA can access the report via Reports tab.
  4. Admin now removes the UserA from the team.
  5. Now, UserA becomes X-user of the team.
  6. UserA canNOT access the team.
  7. But can access the test report which he/she created.

When UserA accesses the report then a request is made to https://hackerone.com/reports/<report id>.json. Note the response for my test report.

{id: 94333, url: "https://hackerone.com/reports/94333", title: "asdf", state: "Open", substate: "new",…} abilities: {can_manage?: false, can_export?: false, can_add_comment?: true, can_change_state?: false,…} activities: [] bug_reporter_agreed_on_going_public_at: null can_view_team: true created_at: "2015-10-17T04:29:44.364Z" cve_ids: [] disclosed_at: null external_advisory_url: null has_bounty?: false id: 94333 is_external_bug: false is_member_of_team?: false is_participant: true minimum_bounty: 1000 public: false readable_substate: "New" ....

Here, some fields like minimum_bounty: 1000 and relevant team details are leaked. These fields are meant for only to people to whom the team is visible.

Attack Scenario :

I tested this bug on sandboxed team. But I believe this bug will affect the on going programs. Consider the scenario ... Private Program invites a User. User submits a bug. This bug will be visible to the user via Reports tab. Now, team decides to remove the User and removes him/her. Now, User can still get updates of the programs via the json response. The team information and bounty details are meant for only researchers who are invited to the program and people who are part of the team.

Let me know if you have any questions.

Thanks, Pranav