A hacker managed to compromise HackerOne, a company that
itself pays white hat hackers to find security breaches for other companies.
The hacker, identified only by the pseudonym haxta4ok00,
figured out a way to compromise the HackerOne website and gain access to
resources that allowed him to get information on other programs running on the
HackerOne pays big bounties to hackers who manage to find
vulnerabilities, and it would have been only fair also to pay haxta4ok00 as
well. The white hacker received $20,000 for exposing the flaw.
“HackerOne was notified through the HackerOne Bug Bounty
Program by a HackerOne community member (“hacker”) that they had accessed a
HackerOne Security Analyst’s HackerOne account. A session cookie was disclosed
due to a human error, which led to the hacker being able to access the
account,” said HackerOne.
“The session cookie was revoked at 15:11 UTC, blocking all unauthorized access
to the account. The technical investigation finished at 21:27 UTC, concluding
that there was no malicious intent and that all copies of potentially sensitive
information were deleted.”
The vulnerability was considered critical, which is the
main reason for the large bounty, which is usually set at about $7,500. The
attacker only loaded a small number of programs but, had he had any ill
intentions, the damage could have been much worse.
Of course, such incidents only serve to underline that no
one is 100 percent — all online resources can be hacked given the right
circumstances. HackerOne is now undergoing a security analysis that should
reveal whether any significant issues related to program permission persist.
HackerOne is often contracted by companies such as
Dropbox, GitHub, Google Play, PayPal, and many others to set up bounty
programs. Maintaining the highest possible level of security for itself is
imperative for HackerOne’s business model.