HackerOne redacted usernames disclosure in "Export as .pdf" feature
Severity: Low (3.4)
Weakness: Sensitive Information Disclosure
Bounty: $500
Hello hunters! I just want to share these new findings on the HackerOne bug bounty platform.
First, I just wanna let you know that I disagree with the rated severity being Low here, but I always respect the team's decision and final call despite disagreement arising on the report, so I requested a public disclosure for you guys to have full context on the vulnerability report.
Let’s start and make the write-up straight to the point :)
While browsing on HackerOne export report, I observed a new feature called “I want to redact all usernames”.
https://hackerone.com/reports/<REPORT-ID>.pdf?redact_usernames=true&pdf_type=reporter
By analyzing the new feature, this means that a user can share the report with anyone but have the option to not disclosed all involved participants' usernames (maybe for some reason). Please note that the report can be non-disclosed or private reports.
So I proceeded with exporting one of my reports but the .pdf file is a little bit messy.
The above image shows a .pdf report after exporting using the new feature “I want to redact all usernames”
After analyzing the pdf output and filtering out the messy strings, I’ve found that the report was still disclosing all the redacted usernames despite I selected “I want to redact all usernames”.
The filtered output shows the reporter's username.
Please note that the provided PoC only shows the reporter username but all usernames in the report were disclosed including analysts' usernames.
I submitted the report to HackerOne, and they reverted the new feature and completely removed it from the export feature after my vulnerability submission.
The report was closed and rewarded but I disagree with the severity. The main purpose of redacting feature is for the usernames/strings to not be disclosed to anyone, and directly unintentionally disclosing it will result in a Sensitive Information Exposure.
HackerOne staff lowers the severity from Medium to Low...
I disagree with the reasoning of “Only public usernames would be leaked”. It’s a little bit illogical, the fact that the data was redacted means the data was not public anymore! make sense?
Disagreement with the severity arises and a final call was concluded.
The final call on the severity of the report submission.
Again, even in the final comments, two things I believed were wrong here.
We’ve discussed this internally together with @jobert and we came to the conclusion that the confidentiality part of this should stay at
low
. One username, from the original reporter, was leaked in a small not commonly used feature. The value of the PII exposed was not high.
First, “One username, from the original reporter” was leaked. It’s not only one username that is being disclosed on the vulnerability, It’s almost all usernames of involved participants. I just put one username from the report header for PoC purposes only and thought HackerOne have a keen eye to check all affected areas of the report, that being said I provided them an additional PoC video (see the video at the bottom of the write-up)
Second, the phrase “was leaked in a small not commonly used feature.” This reasoning for evaluating severity is not acceptable IMO, it becomes not commonly used because it was just recently deployed, and they even reverted the deployment after it introduces a new vulnerability.
The username is part of the report details, In the history of HackerOne-disclosed reports Jobert always says accessing report details that are supposed to be private always bumps the confidentiality to High
.
For example, this disclosed report Reading redacted data via hackbot’s answers was rated Medium
severity despite the submission did not directly disclose the exact redacted data, the attacker uses brute force by analyzing the hack bots' response, while my submission directly disclosed the redacted data (which is usernames in this case)
Another example is this Partial disclosure of report activity through new “Export as .zip” feature. You will see that the redacted data was disclosed and confidentiality was rated as High
Yes, I know you are thinking it is “username only”. But the fact that the feature is redacting the data, the redacted data becomes confidential/private, it doesn’t matter if it is usernames or another part of the report, we need to understand the real purpose of a specific feature and why they created that feature.
I believe the severity was treated unfairly but this is how bug bounty works, a final call is always with the team's decision and I respect that.
Thanks to all the HackerOne team members who attended that report.
Below is the PoC video I provided to back up my claim that the submission not only disclosed one username but also other usernames including analyst and or team member usernames that are participating in the report.
Original report submission: https://hackerone.com/reports/2054222
Timeline:
July 6, 2023 — Report submitted
July 8, 2023 — Report acknowledged by HackerOne triage
July 12, 2023 —The feature for I want to redact all usernames was removed
July 20, 2023 — Report change from New to Triage status
August 3, 2023 —Report rewarded with $500 and closed as resolved
Twitter: https://twitter.com/japzdivino
Subscribe to my newsletter
Read articles from Japz Divino directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Japz Divino
Japz Divino
Gamer by day. a bug bounty hunter by night An active information security researcher in HackerOne.com receives an acknowledgment both local and international, rewarded by different giant companies such as Facebook, Microsoft, PayPal, Quora, SAP, U.S Dept of Defense, and many more. An ethical hacker who loves to play games :) Email: robindivino@pm.me Twitter: https://twitter.com/@japzdivino Fb Page: https://www.facebook.com/japzdivino Whitehat Hacker Profile: https://hackerone.com/japz https://bugcrowd.com/japzdivino