HackerOne Validates MFA Security Through Targeted Spot Check

On July 4, 2024, HackerOne was alerted to claims about a possible Multi-Factor Authentication (MFA) bypass in its platform, allegedly posted by a threat actor on social media. With no substantial evidence presented, the HackerOne Security team decided to proactively assess their MFA security by conducting a focused Spot Check to ensure that no vulnerabilities existed.

What Is a Spot Check?

A Spot Check is an assessment tool utilized by security teams, enabling them to conduct closely scoped evaluations with security researchers. These checks form an integral part of HackerOne’s Bounty and Challenge programs, primarily aimed at scrutinizing vital features, authentication measures, or older applications and codes.

Why Was the Spot Check Initiated?

Following the initial post, HackerOne discovered that the claims had stirred interest within the InfoSec community, leading to media coverage. Although the legitimacy of the MFA bypass seemed dubious, the HackerOne team prioritized verifying their MFA system's robustness by undertaking targeted testing. As part of their commitment to security, they believe in utilizing their own features, including Spot Checks, ensuring that they are continually testing their defenses.

Timeline of the Spot Check Process

July 4, 2024

• HackerOne received the report on potential MFA bypass allegations.
• Steps Taken:
  1. Conducted a thorough review of all reports related to MFA, both open and closed, to assess any prior indications of bypass issues, finding no alarming discrepancies.
  2. Investigated authentication logs to seek any signs of bypass activity.

July 9, 2024

After media coverage sparked customer inquiries, HackerOne promptly responded, clarifying their ongoing investigation and welcoming further reports through their bug bounty program while affirming continuous monitoring of suspicious activities.

July 11, 2024

The Spot Check was officially launched in response to the potential security concerns.

Conducting the Spot Check

HackerOne’s internal security team collaborated closely with their bug bounty program manager to define the scope of the Spot Check. An initial request was issued, emphasizing the need for rigorous testing of their MFA authentication mechanism and inviting security researchers to create accounts for testing.

Test Specifications

• Conducted a Medium Spot Check costing $1,000 per researcher for a total of five researchers, leading to spendings of $5,000.
• Engaged top researchers skilled in identifying MFA bypass vulnerabilities, who correspondingly dedicated between 10 to 40 hours on testing tasks.

Results Achieved

The Spot Check yielded promising results, significantly boosting the security team's confidence in the integrity of their authentication methods. Importantly, the Spot Check also unveiled a medium-severity issue—a race condition vulnerability in their 2FA reset process, which was swiftly resolved and disclosed on the HackerOne platform.

The Importance of Targeted Spot Checks

For organizations seeking thorough yet efficient penetration assessments, Spot Checks offer a cost-effective solution. These assessments facilitate focuses testing with adaptable directives, proving to be faster and less expensive than traditional large-scale penetration tests. HackerOne stands firmly behind Spot Checks as a valuable resource for internal security needs, encouraging others to explore how to effectively implement them in their environments. Contact our team today or discover more about initiating a Spot Check if you're a HackerOne customer.

This article was originally published on HackerOne.