in this write up I will be explaining the exploit method that I used to perform an unauthorized username change on any Hackerone account. It was an internal system flaw without any email verification which allowed me to carry out the successful attack.
As we all know that Hackerone is one of them best and most controversial Managed bug bounty program website on the internet. And everyday researchers from all around the world test their custom exploit on the corporate applications that are sponsored by Vendors and companies.
Does Social Engineering count?
It is often seen that web application vendors and companies do not educate their employees and staff regarding social engineering attacks. Most of the time policies are not defined to counter the situations. Similarly due to a simple flaw in the Hackerone internal flow I was able to discover a way to change the username of any account on Hackerone.
How Hackerone handled Username Changes?
For all those who have been using Hackerone for a few months must know that Hackerone had a email request mechanism to change the Usernames of profiles. For example if a User had to change his username. He would have to email at support@hackerone.com to generate the email change request, which would be reviewed and then he would be granted a new username
How Hackerone email verification system failed and Exploit?
Basically Hackerone guys email process flow was the cause of this whole attack. The exploit scenario was very simple. The Hackerone email management system had no verification, which was due to two reasons.
- From which address the email change request was being generated.
- The address that is requesting the email change is associated with the account or not.
So generating an attack scenario out of this was relatively easy - Victim has an account victim@gmail.com with the username victim
- Attacker mails from attacker@gmail.com to change the username of the account (Usernames are visible to everyone on Hackerone)
- Attacker confirms the change from his own email without any prompt to the original user
And the username is changed.
I created two emails and made attached one with a Hackerone account with the username: yhunterz
I carried out the exploit from the other test email which was not associated with the email that had the username because I had a gut feeling that the system does not verify the email of the Username change request.
Social Engineering Email
As expected I was not asked for any confirmation or my email address was checked to be valid for the Username change. Just a verbal confirmation .
And within a time span of 24 hours the Username was changed.
I reported the issue to hackerone just after completing the procedure and carrying out the exploit. And they were very quick to define policies in their email management system to check for associated email address as a patch for the issue.
For the issue they rewarded me a considerable amount as a reward and a place in their eternal hall of fame. I am thankful to hackerone for this honor and I continuously look for issues to report to them that help in enhancement of their security controls.
Do post your comments about this Writeup. And provide suggestions for our next write-ups from our Advisories page.
Do post your comments about this Writeup. And provide suggestions for our next write-ups from our Advisories page.
Until the next writeup. Stay safe and Hack ON!
ليست هناك تعليقات:
إرسال تعليق