A user can bypass approval step in Hacker Publishing feature, allowing them to publish reports immediately
State Resolved (Closed)
Disclosed publicly 2018-12-05T04:55:40.392Z
Reported To
Weakness Incorrect Authorization
Bounty $2,500
Collapse


Timeline
submitted a report to HackerOne .
2018-11-30T04:06:36.539Z

Summary:
Hi team
Description:
Hacker can request agree-on-going-public publish report

Steps To Reproduce

  1. Create publish report

https://hackerone.com/reports/bulk
POST
message=&reference=&add_reporter_to_original=false&reply_action=agree-on-going-public&reports_count=1&report_ids%5B%5D=██████████&bounty_currency=USD

███

Impact

Hacker can request agree-on-going-public publish report
Hacker bypasses the check by the moderator

Regards,
Frans

  • 0 attachments:
haxta4ok00 Activities::ReportTitleUpdated
2018-11-30T04:16:42.740Z


jobert Activities::ReportSeverityUpdated
2018-11-30T04:38:25.380Z


jobert Activities::ReportVulnerabilityTypesUpdated
2018-11-30T04:38:37.466Z


haxta4ok00 Activities::Comment
2018-11-30T04:39:34.505Z
wow) fastly


jobert Activities::BugTriaged
2018-11-30T04:40:10.794Z
Hi @haxta4ok00 - nice find! We were able to reproduce the vulnerability you reported. We will escalate this to the team and keep you posted throughout the process. We've removed the disclosed report for the time being. Please do not disclose any other reports. Thanks again, good luck, and happy hacking!


haxta4ok00 Activities::Comment
2018-11-30T04:41:14.676Z
Hi @jobert -- >Please do not disclose any other reports. Thanks again, good luck, and happy hacking! Ok Can you check report #410015?


Activities::BountyAwarded
2018-11-30T17:54:52.344Z
Thanks again, @haxta4ok00, this was a good find!


haxta4ok00 Activities::Comment
2018-11-30T17:58:55.112Z
Hi @jobert -- Thank you for a bounty!


haxta4ok00 Activities::Comment
2018-12-02T19:25:16.356Z
Hi @jobert -- During the test, I wondered if the publish Report will be displayed in my inbox after the disclosure?I didn't have time to check it during the test, and now I can't check it at your request not to disclose more reports.Can you check this case? Thank you!


jobert Activities::Comment
2018-12-04T19:36:37.730Z
Hi @haxta4ok00 - if that were to be the case, what do you think the problem is with that? Any report that you publish can be found through the Inbox (I believe it's under All).


haxta4ok00 Activities::Comment
2018-12-04T19:43:26.371Z
Hey @jobert -- >if that were to be the case, what do you think the problem is with that? I'll explain. I wanted to know about two conditions. I want to understand the behavior of two reports, whether they will be displayed in inbox 1)When the report is opened and it has been sent to an external program with a private part 2)When the report opens and it was sent to an external program without the private part I mean, after all the corrections, I don't know how open reports behave. And if they are displayed only those that the private part of the program, then it also makes sense Thanks


jobert Activities::BugResolved
2018-12-05T04:43:04.572Z
Hi @haxta4ok00 - thanks for your patience. We've released a fix for the security vulnerability. Can you do a quick sanity check to make sure it's resolved? Thanks! > When the report is opened and it has been sent to an external program with a private part In our backend, the report is already marked as Resolved. It just has an additional flag that it needs to be reviewed by our staff to actually make it public on the Hacktivity feed. This was exactly what you were able to bypass: the approval step.


haxta4ok00 Activities::Comment
2018-12-05T04:48:04.913Z
Hi @jobert -- Yes, resolved


jobert Activities::ReportTitleUpdated
2018-12-05T04:49:17.785Z


jobert Activities::AgreedOnGoingPublic
2018-12-05T04:49:47.450Z
Awesome, thanks for confirming @haxta4ok00! I've redacted the report IDs and attachments. This should be ready for disclosure. Thanks again, good luck, and happy hacking!


haxta4ok00 Activities::Comment
2018-12-05T04:50:29.938Z
>In our backend, the report is already marked as Resolved. It just has an additional flag that it needs to be reviewed by our staff to actually make it public on the Hacktivity feed. This was exactly what you were able to bypass: the approval step. I did not mean the inbox of the moderator, and for example, my inbox (simple user). How to see a hacker this report in inbox.?


jobert Activities::Comment
2018-12-05T04:54:21.962Z
> I did not mean the inbox of the moderator, and for example, my inbox (simple user). How to see a hacker this report in inbox.? It shouldn't be visible in your Inbox. This is on purpose.


haxta4ok00 Activities::AgreedOnGoingPublic
2018-12-05T04:55:40.306Z
>It shouldn't be visible in your Inbox. This is on purpose. Good!That's what I wanted to hear. Disclose.


haxta4ok00 Activities::ReportBecamePublic
2018-12-05T04:55:40.413Z