Prapti Patil

  • India
  • info@praptipatil.com
  • Tue - Sun | 9:00 AM to 10:00 PM
cONNECT

PRAPTI PATIL

Menu
Trending

ISO 27001:2022 Clauses and 93 Controls Explained

What is VAPT? Complete Guide to Vulnerability Assessment & Penetration Testing

AI-Driven Malware Is Here: The New Frontier of Cyber Threats

How to Identify a Phishing Email in 5 Seconds

HackerOne Report #188719: Information Disclosure

CIA Triad with Real-World Examples

Why Students Are Easy Targets for Hackers?

August 2025 Cybersecurity Roundup

Recents Posts
  • All Posts
  • Blog
  • Bug Bounty Reports
    •   Back
    • Case Studies
    • Awareness
    • News
    • Education
    • Vulnerability Assessment & Penetration Testing (VAPT)
Load More

End of Content.

HackerOne Report #188719: Information Disclosure in /skills

🔖 Quick Facts

 

  • Vulnerability Type: Information Disclosure

  • Endpoint: /skills API

  • Severity: Medium (6.5)

  • CVE ID: None assigned

  • Timeline: December 6, 2016 → Fixed in a few hours

  • Bounty Awarded: 💰 $10,000

🔎 What Happened?

HackerOne introduced a new skill sets feature where hackers could submit past reports as proof of expertise. This feature was designed to give hackers tailored invites for private programs.

However, due to an incorrectly written query, the /skills API endpoint leaked report titles submitted by other hackers in the same skill category.

👉 Example: If you applied for “Mobile Applications” skills, you could see report titles that other hackers had submitted for review in that category.

⚠️ Impact

  • Only report titles of fixed vulnerabilities were exposed.

  • But report titles alone can sometimes reveal sensitive details about the bug itself.

  • Even metadata like titles can help attackers perform:

    • Reconnaissance

    • Pattern analysis

    • Targeted attacks

That’s why HackerOne treated this issue seriously and awarded the maximum bounty for confidential bug access.

🛠️ The Fix

  • HackerOne immediately disabled the skills feature.

  • Root cause was identified and patched within hours.

  • The feature was re-enabled after validation by the reporter.

❓ Why No CVE?

Not all vulnerabilities are assigned a CVE (Common Vulnerabilities and Exposures) ID.

  • CVE IDs are generally reserved for vulnerabilities in widely used software/hardware products.

  • Since this was a HackerOne platform-specific issue, no CVE was assigned.

Still, this report is valuable for the security community as a lesson in data exposure risks.

🧑‍💻 Lessons for Security Enthusiasts

  • Information Disclosure ≠ trivial. Even small leaks like titles or metadata can have a big impact.

  • Check new features carefully. Beta or staged rollouts often introduce subtle bugs.

  • Responsible disclosure pays. This bug earned $10,000 despite “only” exposing report titles.

  • CVE ≠ validation of severity. Even without a CVE, a vulnerability can still be serious.

🚀 Takeaway

HackerOne Report #188719 shows how data leaks through APIs can occur in unexpected ways.

It’s a reminder for developers to:

  • ✅ Sanitize queries

  • ✅ Limit access strictly

  • ✅ Share the least information possible

🔗 Reference: HackerOne Report #188719 – Information Disclosure in /skills

Share this blog on:

Scroll to Top