A hacker managed to compromise HackerOne, a company that itself pays white hat hackers to find security breaches for other companies.
The hacker, identified only by the pseudonym haxta4ok00, figured out a way to compromise the HackerOne website and gain access to resources that allowed him to get information on other programs running on the platform.
HackerOne pays big bounties to hackers who manage to find vulnerabilities, and it would have been only fair also to pay haxta4ok00 as well. The white hacker received $20,000 for exposing the flaw.
“HackerOne was notified through the HackerOne Bug Bounty Program by a HackerOne community member (“hacker”) that they had accessed a HackerOne Security Analyst’s HackerOne account. A session cookie was disclosed due to a human error, which led to the hacker being able to access the account,” said HackerOne. “The session cookie was revoked at 15:11 UTC, blocking all unauthorized access to the account. The technical investigation finished at 21:27 UTC, concluding that there was no malicious intent and that all copies of potentially sensitive information were deleted.”
The vulnerability was considered critical, which is the main reason for the large bounty, which is usually set at about $7,500. The attacker only loaded a small number of programs but, had he had any ill intentions, the damage could have been much worse.
Of course, such incidents only serve to underline that no one is 100 percent — all online resources can be hacked given the right circumstances. HackerOne is now undergoing a security analysis that should reveal whether any significant issues related to program permission persist.
HackerOne is often contracted by companies such as Dropbox, GitHub, Google Play, PayPal, and many others to set up bounty programs. Maintaining the highest possible level of security for itself is imperative for HackerOne’s business model.