A HackerOne worker stole vulnerability studies submitted during the malicious program bounty platform and disclosed them to affected consumers to assert monetary rewards.
The rogue employee had contacted about part a dozen HackerOne consumers and picked up bounties “in a handful of disclosures,” the corporate stated on Friday.
HackerOne is a platform for coordinating vulnerability disclosures and intermediating financial rewards for the malicious program hunter filing the safety studies.
Catching the offender
On June 22, HackerOne replied to a buyer request to research a suspicious vulnerability disclosure via an off-platform conversation channel from any person the usage of the maintain “rzlr.”
The buyer had spotted that the similar safety factor have been in the past submitted via HackerOne.
Computer virus collisions, the place more than one researchers to find and document the similar safety factor, are widespread; on this case, the real document and the only from the risk actor shared obtrusive similarities that triggered a better glance.
HackerOne’s investigation decided that considered one of its workers had get right of entry to to the platform for over two months, since they joined the corporate on April 4th till June 23, and contacted seven corporations to document vulnerabilities already disclosed via its machine.
Danger actor were given paid
The rogue worker gained bounties for one of the studies they submitted, the corporate stated. This allowed HackerOne to practice the cash path and establish the wrongdoer as considered one of its staff that triaged vulnerability disclosures for “a large number of buyer techniques.”
“The risk actor created a HackerOne sockpuppet account and had gained bounties in a handful of disclosures. After figuring out those bounties as most likely unsuitable, HackerOne reached out to the related cost suppliers, who labored cooperatively with us to supply more information” – HackerOne
Inspecting the risk actor’s community visitors printed extra proof that connected their number one and sockpuppet accounts on HackerOne.
Lower than 24 hours after beginning the investigation, the malicious program bounty platform recognized the risk actor, terminated their machine get right of entry to, and remotely locked their computer pending the inquiry.
For the following couple of days, HackerOne did far off forensics imaging and research of the suspect’s laptop and finished reviewing the information get right of entry to logs for that worker in the course of the employment to resolve all malicious program bounty techniques the risk actor interacted with.
On June 30, HackerOne terminated the employment of the risk actor.
“Topic to study with recommend, we can make a decision whether or not prison referral of this topic is suitable. We proceed forensic research at the logs produced and units utilized by the previous worker” – HackerOne
HackerOne notes that its former worker had used “threatening” and “intimidating” language of their interplay with consumers and steered consumers to touch the corporate in the event that they gained disclosures made in an competitive tone.
The corporate says that “within the overwhelming majority of instances” it has no proof of vulnerability information having been misused. Alternatively, consumers that had studies accessed through the interior risk actor, both for nefarious or respectable functions, had been knowledgeable personally of dates and instances of get right of entry to for each and every vulnerability disclosure.