HackerOne’s breach highlights security business partner risk

Dive Brief:

• Bug bounty platform HackerOne paid one of its community members a $20,000 bounty after the individual was able to access a HackerOne security analyst account, according to an incident report. No malicious intent or activity was found and copies of the data were deleted. 
• Human error led to a disclosed session cookie and the cookie wasn't revoked until about two hours later. The hacker could "read all reports," they said on Nov. 24 per the incident report. "It was a happy white hacking for me." 
• The compromised data could have led to system access beyond HackerOne, said Jobert Abma​, cofounder of HackerOne, in a reply to the hacker. The breach gave the hacker access to customer assets, including vulnerability information, ability to pay bounties, modify program details, and add users, according to the report.

Dive Insight:

Every company has customer data they have a duty to protect. While some companies' customer data is consumers' personally identifiable information, such as addresses and birth dates, HackerOne's customer data is security flaws. 

"We are just as at risk from external attacks as any other business," a HackerOne spokesperson told CIO Dive in an email. However, the customer information HackerOne possesses could be detrimental to businesses if leaked. 

Businesses are forewarned about trusting partners in their ecosystem. Companies have an extensive network of data aggregators, brokers and service providers. Because of this complexity, to ensure bulletproof security, companies would have to re-architect how they share data and who controls it.

Microsoft found only 15% of firms have some degree of confidence in their supply chain threat mitigation. Forty-three percent of firms have zero confidence in their ability to protect their business from risks from commercial business partners. 

Companies, including HackerOne, Bugcrowd, FireEye and IBM X-Force, are vital in threat detection, a tool companies need and sometimes outsource. 

Threat intelligence is sold as a value-add, "where companies collect information about emerging threats, taking care, taking advantage of emerging vulnerabilities," Chris Kennedy, CISO of AttackIQ, told CIO Dive. 

There will always be the risk of potentially exposing vulnerabilities by the vendor that's tasked with finding them.

"Should a vulnerability be found, HackerOne's bug bounty program offers a safe reporting channel so issues can be quickly resolved. As with all vulnerabilities reported to the HackerOne Platform, we investigated this issue and implemented immediate and long term fixes," said the spokesperson. 

Transparency in the cybsersecurity community is encouraged, but rarely shared.

"Bad guys almost do a better job of compounding their knowledge about how to attack better than the defensive communities," said Kennedy. HackerOne discloses all reported flaws on its platform. But before a customer can patch its systems, it has too much to lose if information is shared too quickly. 

Comments are closed.