Logic Flaw: Deleting HackerOne Team Reports Without Access Rights
1 min read
Summary
Security researcher kimingi has revealed a critical authorisation flaw in HackerOne’s internal analytics reporting system.
The vulnerability allowed unauthorised users to delete reports for teams they didn’t have access to by manipulating a GraphQL mutation endpoint.
This was not a UI glitch or edge-case error, but a breach of access control logic, meaning authorisation checks had not been coded into the backend.
While the system was correct in restricted reports from the UI, it failed to enforce access control at the mutation level, permitting a malicious insider to delete analytics reports belonging to restricted teams.
The issue was discovered while kimingi was examining analytics reports for an organisation with multiple teams.
They’d had access to both teams but had then restricted their own access to one of the teams to simulate restricted access.