Residual Malicious Payloads on HackerOne after Vulnerability Fixes

**Summary:** HackerOne previously carried out remediation work on the vulnerabilities at https://hackerone.com/bugs?subject=user&report_id=2619438 and https://hackerone.com/reports/2483422. However, further investigation reveals that the malicious payloads on HackerOne profiles have not been completely removed. This situation means that malicious attackers can still exploit these residual payloads to launch attacks, posing a significant threat to the platform's security and user information security. **Description:** The previously exposed vulnerabilities indicate that HackerOne allows users to add social media profile information on the profile/edit page and customize their usernames. Due to the lack of effective input validation and sanitization mechanisms for social media platform links (except for Twitter, which has been sanitized but shows inconsistencies in security controls), users can construct custom URLs. This flaw enables hackers to hide malicious payloads, such as malicious.zip files, behind the social media buttons on their profiles. For example, attackers can access the profile edit page and use custom usernames to construct malicious payloads. When users visit Tedix's profile and click the GitHub button, a.zip file will be downloaded automatically. Despite HackerOne's efforts to fix the related vulnerabilities, it has been detected that some HackerOne profiles still contain malicious payloads previously deployed by attackers. These malicious payloads are hidden within the social media link settings, lying dormant. Through specific operations, such as clicking on certain social media links on some user profile pages, the malicious payloads can still be triggered to execute, or malicious files can be downloaded, mirroring the attack behavior before the vulnerabilities were fixed. ### Steps To Reproduce 1. visit https://hackerone.com/tedix and see his github :https://github.com/Tedixx/i/raw/i/i.zip 2. visit https://hackerone.com/joejoe5 and see his github:https://github.com/p091/1/raw/main/1。zip {F4398378} **both of them can be download without any warning!!!** Suggestions and Solutions​ Comprehensive Inspection and Cleanup: HackerOne should immediately initiate a comprehensive inspection of all user profiles to identify and remove all residual malicious payloads. Specialized scripts can be developed, or professional security detection tools can be used to conduct in - depth scans of social media links and related settings on each user profile, ensuring that no malicious payloads are left behind.​ Strengthen Security Detection Mechanisms: In daily operations, the frequency and depth of security detection for user profile pages should be enhanced. Rigorous checks should be carried out not only when users submit profile information but also on existing user profiles through regular rescan to promptly detect potential malicious activities and security risks. For example, automatically detect all users' social media links every week to ensure their legality and security. ## Impact Attackers are able to construct their own payloads, as long these are below 25 characters. These can be used for payload delivery, redirect, xss or abuse of other vulnerabilities/gadgets at the social platfoms.