HackerOne rewards bughunter who found critical security hole in… HackerOne

Love a bit of bitter irony. To their credit, this was quickly fixed…:

“HackerOne has an invitation system that allows program owners to send invitations to users for various purposes, such as invitations to hack on private programs, claim bounties, be added to programs, among others. The invitation system allows users to be invited by email or by username. If a user is invited by their username, the sender is not permitted to view the email address the invitation is sent to for user privacy. This rule has been guarded by HackerOne’s Access Control Lists (ACLs) in HackerOne’s Representational state transfer (REST) framework, but HackerOne has been migrating these objects to GraphQL under a new protection layer. When exposing a new invitation object, the ACL rule previously applied wasn’t implemented correctly to the new GraphQL protection layer.”

Original article here