In this report, I detail a critical CSRF vulnerability in Hackerone’s Tray.io integration, which enables organizations to connect their bug bounty programs with third-party apps like Github and Jira. By exploiting a lack of CSRF protection, I demonstrated how an attacker could trick users into linking their third-party apps to the attacker’s Hackerone account. Additionally, the integration’s GraphQL API could be leveraged post-exploitation to perform unauthorized actions, such as accessing private Github repositories. Despite the severity, the bounty was reduced to 20% because of a non heard of policy about third party related vulnerabilities.
In this report, I detail a critical CSRF vulnerability in Hackerone’s Tray.io integration, which enables organizations to connect their bug bounty programs with third-party apps like Github and Jira. By exploiting a lack of CSRF protection, I demonstrated how an attacker could trick users into linking their third-party apps to the attacker’s Hackerone account. Additionally, the integration’s GraphQL API could be leveraged post-exploitation to perform unauthorized actions, such as accessing private Github repositories. Despite the severity, the bounty was reduced to 20% because of a non heard of policy about third party related vulnerabilities.
Full technical details are available in the disclosed report: