Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Hacker can bypass 2FA requirement and reporter blacklist through embedded submission form

Medium
H
HackerOne
Submitted None

Team Summary

Official summary from HackerOne

The hacker submitted a vulnerability to us that allowed any user to bypass multiple program restrictions, such as the 2FA requirement, report rate limit, and internal abuse limits. The severity for this vulnerability was set to medium (CVSS 5.0). This vulnerability was awarded $2,500. When we looked into the root cause of the vulnerability, we stumbled upon another vulnerability, which had a higher CVSS score (7.1). The second vulnerability that we identified allowed an attacker to gain access to other users' attachments who were writing a report at the same time. Because we identified this vulnerability due to @japz' report, we decided to award him an additional $7,500. The report itself contains an in-depth explanation of where the vulnerability originated from. We determined that neither of the vulnerabilities have been abused. Here's a link to @japz's own blog post about the vulnerability: https://medium.com/japzdivino/bypass-hackerone-2fa-requirement-and-reporter-blacklist-46d7959f1ee5. We'd like to thank @japz and @mga_bobo for bringing this to our attention, this was a great find!

Actions:
View on HackerOne
Reported by japz

Vulnerability Details

Technical details and impact analysis

Improper Authorization
Hi Team, ### Summary: A program owner can enforce the hackers to setup the two-factor authentication before submitting new reports to their program here: https://hackerone.com/parrot_sec/submission_requirements (see below image) {F355169} The [Parrot Sec](https://hackerone.com/parrot_sec) program has this feature enabled to enforce the hackers to setup `2FA` before submitting reports. I removed my `2FA` to test and it is good that i was block from submitting new reports (see below image) {F355168} --- ### BYPASS 2FA Requirements using Embedded Submission: Now i was able to bypass this 2FA setup requirements by using the Parrot Sec program __Embedded Submission Form__. ## Steps to reproduce: 1. Login to your account and __remove__ your 2FA on your account (if you already setup it) 2. Now go to https://hackerone.com/parrot_sec and hit `Submit Report` button, observed that you cannot submit report unless you will enable your 2FA. 3. __BYPASS:__ Get the `Embedded Submission` URL on their [policy page](https://hackerone.com/parrot_sec): i get this ->> https://hackerone.com/0a1e1f11-257e-4b46-b949-c7151212ffbb/embedded_submissions/new 4. Now submit report using that embedded submission form and you can submit reports without setting-up your 2FA, despite the program __enforce__ the user to setup the 2FA before submitting new reports. 5. 2FA requirements successfully bypassed! ## Impact Bypassing the enabled protection/feature of the program. Let me know if anything else is needed. Regards Japz

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$10000.00

Submitted

Weakness

Improper Authorization