Tuesday, 10 February 2015

HackerOne Bug Fixes Serious Platform For Bug Reports

HackerOne, the platform for reporting vulnerabilities in various software projects and applications, has itself had to deal with a serious vulnerability that attackers may have access to unpublished bug reports from other investigators could get.

Cross Site Scripting (XSS) issue exists was caused by the way HackerOne the "\" character tried left harmless. Therefore could allow an attacker to execute code on a webpage, which could help again in a phishing attack, says researcher Daniel LeCheminant who discovered the problem.

He suspects that an attacker could also add arbitrary HTML to bug reports in order to gain unauthorized access to the bug reports and data from other researchers. It is the first time that an XSS problem was discovered in HackerOne. A day after LeCheminant administrators had informed the vulnerability was corrected and he got a reward of $ 5,000. An amount that is only for serious bugs reserved .

No comments:

Post a Comment