[HackerNotes EP133] Building Hacker Communities - Bug Bounty Village, getDisclosed, and the LHE Squad

Hacker TL;DR

• Bug Bounty Village - Meet the Team: Harley and Ariel from HackerOne's community management team are back, running the Bug Bounty Village this year at DEF CON. They absolutely killed it last year - here’s what to expect from the event:

• Bug Bounty Village:

  • Badges & CTF: Get ready for exclusive electronic badges with built-in challenges. This year also features a CTF designed to mimic the real bug bounty experience—from reading a scope page to submitting a report for triage.

  • Talks & Panels: A completely stacked lineup of high-quality talks throughout the event, be sure to check out the schedule to not miss out on anything.

  • Get a Badge: You can pre-order an exclusive green variant of the badge for pickup at DEF CON here: shop.bugbountydefcon.com

• How to get popped (Supabase edition): Harley’s side project, disclosed.online, got hacked due to a couple of Supabase vibe-coded misconfigurations:

  • Backend Auth Bypass: The frontend for self-registration was removed, but the backend API endpoint for it was left active, allowing users to still create accounts.

  • Postgres View Vuln: A view created to hide an email column didn't respect Role Level Security (RLS) policies and inherited the creator's admin permissions, leading to unauthenticated admin access.

• Fortunately, the project (and Harley) lived to tell the tale.

Meet the Team - Bug Bounty Village

If you’re in the LHE scene, you probably already know these two. If not, Harley and Ariel are the community managers at HackerOne and the driving force behind the Bug Bounty Village at DEF CON.

Both come from a technical background, with experience in pentesting and bug bounty hunting. They eventually found their way to the community side, driven by a passion for helping others and creating opportunities for hackers around the world.

Fortunately, they’ve joined forces to deliver another Bug Bounty Village at Defcon. It’s not one to miss, and if you haven’t been before, heres what to expect.

Bug Bounty Village

Get ready for another year of the Bug Bounty Village at DEF CON, and it's bigger and better than before. With 30% more space and a focus on fitting more people in, it's set to be a hub for all things bug bounty.

Here’s a rough idea of what to expect in terms of layouts if you’re heading over to the event:

Badges and Coins

You might see some electronic badges floating around. There are 400 of the standard blue badges to give away, and you'll have to earn them. They'll be given out at random, for being one of the first in line, or for doing great things for the village.

These badges aren't just for show; they have integrated challenges. You'll also find challenge coins from various platforms that may resolve to a flag you can punch into the badge to make it do different things.

And I gotta admit, they look pretty sweet:

If you want to guarantee you get your hands on a badge, you can pre-order an exclusive green variant to pick up at the event. There are only 200 being made, and you can grab yours here:

Bug Bounty Village CTF

This year introduces a CTF designed to feel like a real bug bounty experience. Forget your typical CTF challenges; this is an intentionally vulnerable web application with a program page and a scope.

Your job is to go hack it. When you find a bug, you write a report, and that report gets triaged by volunteers. You get points based on the quality of your report, providing a learning experience for the entire bug bounty lifecycle.

If you’re looking for a CTF that has that real-world feel.. this one might be for you!

Disclosed. & Disclosed.online

Now, just to be clear, these are two separate services by Harley. Disclosed. is your go-to source of all hacking and bug bounty-related news, and Disclosed.online is your hacker directory.

If you’ve been looking for another newsletter, definitely check out Disclosed. We’ve mentioned it before, but Harley gave us the inside scoop with some of the behind-the-scenes content creation:

He essentially vibe coded his own news aggregators, and included a feed to pick and choose news articles to publish, capture his voice and brand, and give a brief overview for the newsletter. Pretty cool.

Now disclosed.online - you might have seen this one from the X thread that trended, but Harley vibe-coded it, and in the true spirit of "ship fast" it got popped. The vulnerabilities stemmed from a couple of interesting Supabase misconfigurations.

Two main issues led to the compromise:

1. Backend Self-Registration: Originally, the app allowed users to self-register. Harley later decided to remove this feature from the frontend, turning it into a lead funnel for his newsletter. However, he only removed the frontend component and forgot to disable the Supabase backend API for self-registration. This meant anyone who knew the endpoint could still hit the API directly and create an account.

2. Leaky Postgres View: While poking at his own app, Harley noticed that querying a user record leaked all fields, including the user's email, which he wanted to keep private. To fix this, he created a Postgres view that queried all the same data but excluded the email field.

What he didn't realise is that when you create a view in Postgres, it doesn't respect Role Level Security (RLS) policies in the same way tables do. Instead, the view is configured with the permissions of the user who creates it. Since Harley created it as an admin, the view essentially granted unauthenticated admin access to the data.

A researcher found this flaw and proceeded to change all the profile pictures to his own avatar and edit everyone's bios. A bit of a PITA, but hey, at least the researcher worked with Harley to resolve it!

A shorter HackerNotes this week in preparation for Defcon. If you’re going, the CTBB team will be there, so be sure to come find us.

Till next week, keep hacking!