Member-only story
$20,000 Bounty: How a Leaked Session Cookie Led to an Account Takeover
Understanding Session Hijacking and Preventing Session Leaks
5 min readJust now
📌 Timeline of the Incident
- November 24, 2019, 12:48 UTC: A Security Analyst accidentally leaks a session cookie in a report comment.
- November 24, 2019, 13:08 UTC: A hacker discovers the leak and reports it through the bug bounty program.
- November 24, 2019, 15:08 UTC: HackerOne begins triaging the report.
- November 24, 2019, 15:11 UTC: The leaked session cookie is revoked.
- November 24, 2019, 16:07 UTC: Incident response investigation begins.
- November 24, 2019, 21:27 UTC: Technical investigation concludes, confirming no malicious intent.
- November 25, 2019, 08:49 UTC: Affected customers are notified.
- November 26, 2019, 01:58 UTC: Security improvements are implemented, restricting sessions to originating IP addresses.
- November 26, 2019: HackerOne updates its bug bounty policy regarding session security.
- November 27, 2019: The final incident report is published.
- Bounty Awarded: The researcher receives $20,000 for responsibly reporting…
