OtherCVSS 4.3Medium

Residual Malicious Payloads on HackerOne after Vulnerability Fixes

hackerone-reports

April 18, 2026

0 views

Save

€0

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3168691 by joejoe5

Summary: HackerOne previously carried out remediation work on the vulnerabilities at https://hackerone.com/bugs?subject=user&report_id=2619438 and https://hackerone.com/reports/2483422. However, further investigation reveals that the malicious payloads on HackerOne profiles have not been completely removed. This situation means that malicious attackers can still exploit these residual payloads to launch attacks, posing a significant threat to the platform's security and user information security. Description: The previously exposed vulnerabilities indicate that HackerOne allows users to add social media profile information on the profile/edit page and customize their usernames. Due to the lack of effective input validation and sanitization mechanisms for social media platform links (except for Twitter, which has been sanitized but shows inconsistencies in security controls), users can construct custom URLs. This flaw enables hackers to hide malicious payloads, such as malicious.zip files, behind the social media buttons on their profiles. For example, attackers can access the profile edit page and use custom usernames to construct malicious payloads. When users visit Tedix's profile and click the GitHub button, a.zip file will be downloaded automatically. Despite HackerOne's efforts to fix the related vulnerabilities, it has been detected that some HackerOne profiles still contain malicious payloads previously deployed by attackers. These malicious payloads are hidden within the social media link settings, lying dormant. Through specific operations, such as clicking on certain social media links on some user profile pages, the malicious payloads can still be triggered to execute, or malicious files can be downloaded, mirroring the attack behavior before the vulnerabilities were fixed.

Steps To Reproduce

visit https://hackerone.com/tedix and see his github :https://github.com/Tedixx/i/raw/i/i.zip
visit https://hackerone.com/joejoe5 and see his github:https://github.com/p091/1/raw/main/1。zip

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Sign In Register

Related Writeups

hackerone-reports

DOS via Mutation Aliasing in GraphQL Account Recovery Phone Number Verification API

HackerOne disclosed report --> https://hackerone.com/reports/3287208 by hellokbit

Read Writeup →

hackerone-reports

Fail-Open in set_tlsext_servername_callback on pyopenssl via unhandled exceptions leads to security bypass

HackerOne disclosed report --> https://hackerone.com/reports/3558277 by uv3doble

Read Writeup →

hackerone-reports

Session Cookie Leakage via Static Header Field in WebViewerFragment

HackerOne disclosed report --> https://hackerone.com/reports/3475626 by dphoeniixx

LogicalBreach Academy

Residual Malicious Payloads on HackerOne after Vulnerability Fixes

Steps To Reproduce

Identification Required

Related Writeups

DOS via Mutation Aliasing in GraphQL Account Recovery Phone Number Verification API

Fail-Open in set_tlsext_servername_callback on pyopenssl via unhandled exceptions leads to security bypass

Session Cookie Leakage via Static Header Field in WebViewerFragment

Discussion