Ian Melven
Senior Director, Security

How HackerOne Disproved an MFA Bypass With a Spot Check

Spot Checks

At HackerOne, we’re incredibly proud of our wide range of human-powered security testing solutions and continuously use them for our internal security, including running highly focused tests through Spot Checks. When a potential multi-factor authentication risk was identified, we knew exactly which tool to use within the HackerOne Platform. In this blog, we’ll discuss the details of the alleged risk, why we chose to run a Spot Check, and the results of the test. 

What Is a Spot Check?

Spot Check is a powerful tool for security teams to do a tightly focused and scoped human-powered assessment with security researchers. Available as part of HackerOne Bounty and Challenge programs, Spot Checks are ideal for testing new features, critical features such as authentication and authorization, or older legacy apps and code.

Why Did HackerOne Conduct a Spot Check?

A threat actor posted on X indicating that they were offering to sell the details of an MFA bypass in the HackerOne platform. No additional evidence was provided.

This information was picked up by an X account that publishes news in the Infosec space. While the bypass seemed unlikely, we wanted to verify the security of our MFA implementation and gain confidence via focused testing to be sure.

In addition, we’re invested in using and testing our own features, including Spot Checks. HackerOne uses its own Platform to run its bug bounty program and to perform both penetration tests and phishing assessments, and Spot Checks should be no different. The HackerOne Security team is its own internal customer. 

Spot Check Timeline

July 4, 2024

The first report of allegations of the MFA bypass was received.

Steps:

  1. Review reports: We reviewed all open and closed reports to our program involving MFA to see if the issue might have already been reported and then re-evaluated the reports for risk. Nothing was identified as a potential MFA bypass. 
  2. Examine authentication logs: We examined our authentication logs for evidence of any MFA bypass.

July 9, 2024

The report was picked up by the media. We received some customer inquiries, which we addressed through the following response:

"We're aware of the claims of an MFA bypass in the HackerOne platform and are investigating. However, these claims remain unsubstantiated and no technical detail has been provided to HackerOne. Reports of any valid security issue in the HackerOne platform are welcome via our world-class bug bounty program. As always, we monitor for suspicious login activity and are ready to take action if it were necessary. In addition, we will be launching a HackerOne Spot Check to further fortify our MFA posture."

July 11, 2024

Spot Check launched.

Conducting the Spot Check

Initial Request

Our internal security team worked with the bug bounty program manager and our internal customer success manager to craft the scope and focus of the Spot Check. The initial request looked like this:

"We would like the MFA authentication mechanism of the HackerOne platform deeply and thoroughly tested for any bypasses or other security issues.

Security researchers can test this functionality by creating accounts on the HackerOne platform and enabling MFA on their accounts. 

Target: https://x.com/MonThreat/status/1808854873510662370 

We are looking for any bypass of MFA where a username and password is enough to log in to an account with MFA enabled, i.e. MFA is not required. This includes the ability to determine a user's TOTP seed or predict the required MFA code based on other available information. 

Please review these previous reports of issues in MFA and their evaluation and resolution to avoid reporting duplicates: (the list of previous reports was included here).”

It was important to provide the existing MFA reports to the security researchers executing the Spot Check so they would know what issues had been found and how they had been triaged and resolved previously. This helped guide the researchers as to what issues were valuable to us and also helped them avoid reporting duplicate issues. 

Test Specs

  • Medium Spot Check at $1,000 each, with five security researchers for a total cost of $5,000
  • Selected a group of top researchers experienced with finding MFA bypasses quickly
  • Received submitted writeups from four researchers, each of whom spent 10-40 hours testing

Results

The Spot Check was a success and the security team is very pleased with the outcome. The detailed writeups provided confidence in the thoroughness and depth of testing authentication and, specifically, our implementation of multifactor authentication.

As a result of the Spot Check, we were also very grateful to have discovered one medium-severity issue: a race condition vulnerability in our 2FA reset process. The bug was resolved and disclosed in the HackerOne Platform.

The Value of Focused Testing Through Spot Checks

If you’re looking for highly focused testing with flexible direction and specific, test-based researcher selections, yet faster and cheaper than a full-scale pentest—Spot Checks are the answer. At HackerOne, we love utilizing Spot Checks for our internal security needs, and our team is happy to discuss the best ways to implement Spot Checks for your organization. Contact our team today, or HackerOne customers can get started with a Spot Check now.

The 8th Annual Hacker-Powered Security Report

HPSR blog ad image