HackerOne, a platform that focuses on employing the services of professional hackers to uncover loopholes in the security system of businesses and famous companies have been hacked by one of its users. According to the report, HackerOne gave a bug bounty of $20,000 to the user.
HackerOne has dedicated its platform to the services of ethical hackers to search for vulnerabilities in the system of Twitter, Uber, Microsoft, and others before malicious actors take advantage. In a statement released by the platform, the hacker had no intention to harm them but just executed a white hack.
As claimed by the report, a member of the platform identified as haxta4ok00 submitted a report to the bug bounty platform on 24 November 2019, that he has accessed the security analyst account and can read all reports and access sensitive information.
Jobert Abma, a co-founder of HackerOne admitted on the following day that the hacker accessed the account without any privilege of authentication, and this action carried a high common vulnerability scoring system rating. An internal investigation conducted by HackerOne led to the conclusion that haxta4ok00 had no malicious intent to breach the security. It was confirmed that the hacker has truly deleted all the retrieved data.
HackerOne contacted the hacker, explaining to him that it was not necessary for him to open all pages and reports to establish the fact that he has accessed its accounts. After being asked why he hacked the account, the hacker clarified that he did not mean any harm. He was ready to apologize if he did something wrong, saying he just launched a white hack.
Image Source: www.zdnet.com
This is a very serious issue as more dangerous harm could have been inflicted as the sensitive information of bigger organizations would have been obtained if he meant any harm. When these data ends up on the dark web, it becomes a course for concern.
The official announcement released by the HackerOne spokesperson revealed that the data at the disposal of the security analysts did not represent the entire data on the platform. As claimed by the report, only less than 5% of the entire database was affected and was soon attended to after the breach.
The report further revealed how the hacker was able to trick the system and take advantage of the small information obtained. According to the report, the HackerOne security analyst copied and pasted a client URL whiles communicating with haxta4ok00.
It has been stated that the cURL can sometimes be used as a command-line tool to transfer data without user interaction. The pasted cURL contained the staff members’ session cookies details which mostly erase when the browser is closed. This ensures that the user does not enter any authentication when navigating every page. With this simple vulnerability, the hacker was able to access the same information accessed by the security analyst without the need for any authentication.
Two hours after the breach, HackerOne revoked the cookie session as a preventive measure to block any unauthorized access into the account. Also, restrictions were added to the security and analyst session to ensure that they can only be accessed with the originating IP address. The idea is to prevent any future occurrence. The incident strongly establishes that hackers are more aware of their surroundings, and have multiple methods to bypass security systems especially companies that pay less attention to cybersecurity and data protection.
Bug Bounty programs are slowly getting popular among hackers and computer literates who refuse to use their skills to breach and obtain sensitive data to sell on the dark web. In a report, the bug bounty program gives hackers the chance to earn over $350,000 a year. Most of them earn an average of $50,000 a month. The amount can go as high as $1 million a year according to a report.
Image Source: www.verdict.co.uk
HackerOne is the biggest among all the bug bounty programs with over 120,000 hackers taking advantage of the reward. So far, about $26 million rewards have been given out with more expected to be paid.
HackerOne is famous for its huge reward to hackers who detect vulnerabilities in products, and a number of hackers have made fortune using its services.
Companies such as Instagram, Starbuck, and Slack take advantage of the HackerOne bug bounty program to detect vulnerabilities in their systems to avoid falling in the hands of malicious actors. The program aims to reduce the recent high incidents of data breach recorded in recent years.
Source: BBC NEWS
Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.