HackerOne, the popular security response and bug bounty platform, rewarded a researcher with with a $5,000 bounty for identifying a severe cross-site scripting (XSS) vulnerability.
HackerOne hosts bug bounty programs for several organizations, but the company also runs a program for its own services. So far, HackerOne has thanked 54 hackers for helping the company keep its services secure, but Trello developer Daniel LeCheminant is the first to find a flaw rated “severe.”
The researcher discovered that he could insert arbitrary HTML code into bug reports and other pages that use Markdown, a markup language designed for text-to-HTML conversions.
“While being able to insert persistent, arbitrary HTML is often game over, HackerOne uses Content Security Policy (CSP) headers that made a lot of the fun stuff ineffective; e.g. I could insert a <script> tag or an element with an event handler, but it wouldn’t run because these unsafe inline scripts were blocked by their CSP,” LeCheminant explained in a blog post.
“Fortunately (for me) not all browsers have full support for CSP headers (e.g. Internet Explorer 11), so it wasn’t hard to make a case that being able to run arbitrary script when someone attempted to view a bug that I’d submitted qualified as something that ‘might grant unauthorized access to confidential bug descriptions’,” he added.
An attacker couldn’t have exploited the vulnerability to run arbitrary scripts, but as the expert demonstrated, the bug was serious enough. LeCheminant managed to change visual elements on the page (e.g. color of the links) because HackerOne’s CSP allows inline styles, and even insert an image into his submission.
According to the researcher, an attacker could have also inserted other elements, such as text areas, and he could have redirected visitors of the page to an arbitrary website by using the meta refresh method.
When users click on links found in bug reports, they are redirected to a warning page where they are informed that they are about leave HackerOne and visit a potentially unsafe website. However, by leveraging the XSS found by LeCheminant, a malicious actor could have bypassed the warning page and take users directly to a potentially harmful site.
The vulnerability was reported just three days ago and it was resolved by HackerOne one day later.