Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Able to Create Testimonials for myself using Sandbox

Medium
H
HackerOne
Submitted None

Team Summary

Official summary from HackerOne

This vulnerability allows hackers to create and display self-authored testimonials on their public profiles. The issue arises when a hacker creates a sandbox program on HackerOne and invites an alternate account. The alternate account can then submit reports to the sandbox program, and the primary account, acting as the program owner, can resolve these reports. Upon resolution, the program owner is presented with an option to provide a testimonial for the hacker who submitted the report. By filling out this testimonial form and enabling the "Show this blurb on my profile" setting, the hacker can display the self-authored testimonial on their public HackerOne profile. We came to the decision to score this as Medium (5.3) due to the fact that this impacts the Integrity of the testimonial system as modification of data is possible. The hacker does not have complete control over testimonials however as they only work to show feedback from "a private team" (i.e. their own Private Sandbox Program) and not any actual team. As a result of this report, our team implemented a fix to prevent creation of a hacker review (Testimonial) when a team is sandboxed, and introduced more extensive access control checking to ensure that only legitimate testimonials can be written. We've also removed the false testimonials created out of this exercise. The hacker completed a retest and confirmed that the issue is no longer present.

Actions:
View on HackerOne
Reported by harshdranjan

Vulnerability Details

Technical details and impact analysis

Improper Access Control - Generic
**Summary:** Recently you allowed us to give testimonials for the sandbox reports which is Vulnerable and allows all the researcher to control their **Testimonials** for their benefit t. **Description:** When a report is closed as resolved we are given the option of "This hacker is eligible for a testimonial" in the Sandbox report and if we fill out this form and submit it for our own Profile and then go to our profile setting "https://hackerone.com/settings/feedback" and turn on "Show this blurb on my profile" On then this Testimonial will be shown in our Public Profile of Hackerone. With a Single Sandbox Program I can create more than 50 Testimonials for myself that I have Hacked and I am a good hacker. Here the Credibility of the Hackeron testimonial system will fail completely as the Other users can only see that a Private program gave them a review and don't know which program or a Sandbox Program. ### Steps To Reproduce 1. With your second ID create a Sandbox Program and Invite your active ID to that Program 2. with the Active ID Create a Few reports for your own Sandbox Program 3. Now with the Second ID closed all those reports as Resolved and a form for Testtiomonial will pop up at the top of the report "This hacker is eligible for a testimonial" 4. Fill out this form and submit it. 5. From Active ID go to the feedback section "https://hackerone.com/settings/feedback" and turn on "Show this blurb on my profile" On Now visit your Public Profile of the active ID **Testimonials** will be live and visible to all ### Optional: Supporting Material/References (Screenshots) ████ ## Impact Here the Credibility of the Hackeron testimonial system will fail. It can be used to Uplift Public Reputation, Might add this Profile to their JOB resume and as everyone believes in Hackerone they will believe this as well. will surely effect the reputation of Hackeorne.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$2500.00

Submitted

Weakness

Improper Access Control - Generic