Summary

Security researcher haxta4ok00 uncovered a critical email disclosure vulnerability in HackerOne’s private program invitation system. By combining the “invite via username” feature with GraphQL queries, the researcher was able to leak any invited user’s private email address — without their consent or interaction.

This flaw, if exploited at scale, could have led to massive privacy violations, enabling attackers to de-anonymize HackerOne accounts, target users with phishing, or scrape thousands of emails from the platform.

Steps to Reproduce

1. Navigate to a Customer’s Private Program Launch Page

Example: https://hackerone.com/hackerone_h1p_bbp3/launch

2. Invite a Known Username

• Use the “Invite via Username” field
• Enter a valid HackerOne username (e.g., zebra)
• Submit the invite

3. Retrieve the Invite Token

• After submission, the backend creates a token tied to that invite
• Use the GraphQL query to extract…