Site icon API Security Blog

HackerOne: Creation of bounties through Customer API leads to private email disclosure

Summary: Hello team, It is possible to reveal any user email using the BountiesHistoryQuery request. To demonstrate this, I will make use of both the API and the graphql requests. Steps To Reproduce Log in to your account and create a demo Head over to https://hackerone.com/organizations/████/settings/api_tokens and create a token with the report manager role Head over to any profile of a user in hackerone and copy their user id Use this request below to award a program bounty to that user using the API. recipient_id is the id of any user and {id} is your sandbox program id. “` let inputBody = "{n "data": {n "type": "bounty",n "attributes": {n "recipient_id": "██████████",n "amount": 51,n "reference": "newbounty",n "title": "BOUNTY FROM Sandbox",n "currency": "USD",n "severity_rating": "high"n }n }n}"; let user = 'identifier'; let password = 'token'; let headers = new Headers(); headers.set('Authorization', 'Basic ' + btoa(user + ":" + password)); headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json'); fetch('https://api.hackerone.com/v1/programs/{id}/bounties', { method: 'POST', body: inputBody, headers: headers }) .then(function(res) { return res.json(); }).then(function(body) { console.log(body); }); “` 5. You will get a success message ██████ 6. After awarding the bounty, make the following Graphql request. Where handle is the…Read More

Exit mobile version