Cyber Security

Rogue HackerOne employee steals bug reports to sell on the side

A HackerOne employee stole vulnerability reports submitted through the bug bounty platform and disclosed them to affected customers to claim financial rewards.

The rogue worker had contacted about half a dozen HackerOne customers and collected bounties “in a handful of disclosures,” the company said on Friday.

HackerOne is a platform for coordinating vulnerability disclosures and intermediating monetary rewards for the bug hunter submitting the security reports.

Catching the culprit

On June 22, HackerOne responded to a customer request to investigate a suspicious vulnerability disclosure through an off-platform communication channel from someone using the handle “rzlr.”

The customer had noticed that the same security issue had been previously submitted through HackerOne.

Bug collisions, where multiple researchers find and report the same security issue, are frequent; in this case, the genuine report and the one from the threat actor shared obvious similarities that prompted a closer look.

HackerOne’s investigation determined that one of its employees had access to the platform for over two months, since they joined the company on April 4th until June 23, and contacted seven companies to report vulnerabilities already disclosed through its system.

Threat actor got paid

The rogue employee received bounties for some of the reports they submitted, the company said. This allowed HackerOne to follow the money trail and identify the perpetrator as one of its workers that triaged vulnerability disclosures for “numerous customer programs.”

“The threat actor created a HackerOne sockpuppet account and had received bounties in a handful of disclosures. After identifying these bounties as likely improper, HackerOne reached out to the relevant payment providers, who worked cooperatively with us to provide additional information” – HackerOne

Analyzing the threat actor’s network traffic revealed more evidence that linked their primary and sockpuppet accounts on HackerOne.

Less than 24 hours after starting the investigation, the bug bounty platform identified the threat actor, terminated their system access, and remotely locked their laptop pending the inquiry.

For the next few days, HackerOne did remote forensics imaging and analysis of the suspect’s computer and completed reviewing the data access logs for that employee for the duration of the employment to determine all bug bounty programs the threat actor interacted with.

On June 30, HackerOne terminated the employment of the threat actor.

“Subject to review with counsel, we will decide whether criminal referral of this matter is appropriate. We continue forensic analysis on the logs produced and devices used by the former employee” – HackerOne

HackerOne notes that its former employee had used “threatening” and “intimidating” language in their interaction with customers and urged customers to contact the company if they received disclosures made in an aggressive tone.

Advertisement. Scroll to continue reading.

The company says that “in the vast majority of cases” it has no evidence of vulnerability data having been misused. However, customers that had reports accessed by the inside threat actor, either for nefarious or legitimate purposes, have been informed individually of dates and times of access for each vulnerability disclosure.

Source: https://www.bleepingcomputer.com/news/security/rogue-hackerone-employee-steals-bug-reports-to-sell-on-the-side/

Click to comment

You May Also Like

Cyber Security

Belgium became a haven for ethical hackers following the adoption of a nationwide safe harbor agreement last month. The framework means that well-intentioned security researchers are free...

Cyber Security

Twitter faced further criticism this week when Elon Musk’s social networking platform announced SMS-based 2FA will only be available to paying customers going forward....

Cyber Security

Apache has resolved a vulnerability potentially exploitable to launch remote code execution (RCE) attacks using Kafka Connect. Announced on February 8, the critical vulnerability...

Cyber Security

A security researcher dropped a zero-day remote code execution (RCE) chain of vulnerabilities affecting Lexmark printers after claiming the disclosure reward he was offered...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version