TeamProfile exposes partially sensitive information through GraphQL
State Resolved (Closed)
Disclosed publicly 2018-08-08T23:43:03.326Z
Reported To
Weakness Information Disclosure
Bounty $500
Collapse


Timeline
submitted a report to HackerOne .
2018-08-02T12:13:33.345Z

I noticed there is new field team_profile added and using the graphql below the latest serious report and reports received in three months were exposed
{"query":"query Dashboard_report_severity_breakdown_table($first_0:Int!) {\n query {\n id,\n ...F0\n }\n}\nfragment F0 on Query {\n _team4g1Zqs:team(handle:\"security\") {\n _structured_scopes3TsuIg:structured_scopes(first:$first_0) {\n edges {\n node {\n _id,\n asset_identifier,\n reports {\n total_count,\n count_by_severity\n },\n id\n },\n cursor\n },\n pageInfo {\n hasNextPage,\n hasPreviousPage\n }\n },\n _reports42Gng6:reports(without_scope:true) {\n total_count,\n count_by_severity\n },\n team_profile{_id,disclosed_reports_in_last_year_count,latest_report_created_at,latest_serious_report_created_at,reports_received_in_three_months_count}, _id, id\n },\n id\n}","variables":{"first_0":100}}

If this is public information i can close this by myself (my reputation is very low) but i think it's not and worth to report it

Impact

Information disclosure of no of reports received in 3 months time and other information not in the current UI

Regards,
Frans

  • 0 attachments:
qwertyqwerty Activities::ReportTitleUpdated
2018-08-02T12:18:35.230Z


qwertyqwerty Activities::Comment
2018-08-02T12:20:23.762Z
Below is the result for H1 query: ` "team_profile": { "_id": "298", "disclosed_reports_in_last_year_count": 60, "latest_report_created_at": "2018-08-02T04:28:05.120Z", "latest_serious_report_created_at": "2018-07-31T03:34:38.522Z", "reports_received_in_three_months_count": 559 },`


thefrog Activities::Comment
2018-08-03T14:10:19.625Z
Hi, Thank you for your submission. We have received your report. Best regards, @thefrog Security Analyst **HackerOne**


qwertyqwerty Activities::Comment
2018-08-06T17:43:47.770Z
Thank you @thefrog


qwertyqwerty Activities::Comment
2018-08-07T23:14:16.430Z
Now i checked again the query i posted and the value is all null. @thefrog /@jobert is my report valid?


jobert Activities::ReportSeverityUpdated
2018-08-08T02:36:05.099Z


jobert Activities::ReportTitleUpdated
2018-08-08T02:36:45.850Z


jobert Activities::BugTriaged
2018-08-08T02:38:09.636Z
Thanks for bringing this to our attention, @qwertyqwerty, this wasn't supposed to be public yet!


Activities::BountyAwarded
2018-08-08T02:38:33.771Z


jobert Activities::BugResolved
2018-08-08T02:39:07.403Z
Hi @qwertyqwerty - like you already noticed, we pushed a fix for the issue. Thanks again for bringing it to our attention, it's much appreciated!


qwertyqwerty Activities::Comment
2018-08-08T03:20:17.947Z
Thank you sir! no swag yet? :)


qwertyqwerty Activities::Comment
2018-08-08T14:03:54.944Z
Please disclose after redacting any information you think is confidential. Thank you again for the bounty.


jobert Activities::AgreedOnGoingPublic
2018-08-08T20:53:14.255Z
Earlier today we released this feature and enabled it for a number of programs. You can see them on [our Insights page](https://hackerone.com/security/insights). We were supposed to roll this out gradually. @qwertyqwerty pointed out that the information was disclosed, which helped us identify the root cause of the problem: we forgot to implement a proper feature flag for this particular data in GraphQL. To resolve the vulnerability, we're now explicitly checking whether the feature is enabled for the program so we're not unintentionally disclosing this information for programs that don't have the feature enabled. Thanks again, @qwertyqwerty!


qwertyqwerty Activities::AgreedOnGoingPublic
2018-08-08T23:43:03.261Z


qwertyqwerty Activities::ReportBecamePublic
2018-08-08T23:43:03.357Z