SIGNUP / Hackerone identification
- SIGNUP: when registering an organisation, page, application or any "service" within our various services, can you please prepend [Hackerone] to the names you use! For example, when register a business or organisation within the Yotisign service, you should use: [Hackerone] Whatever name you like here
Important Notices
- Free Trial Endpoint: Please refrain from testing the rate limiting or anti-automation capabilities of the Yoti Sign free trial service. We're already addressing this issue, so no automated requests, please.
- Developer Documentation Site: Testing on DEVELOPERS.YOTI.COM is strictly prohibited, as it's a third-party hosted site and not part of our security concerns.
- Mail Security Features: SPF/DKIM/DMARC are optional and not within our program's scope, unless a major issue with the configuration exists. We acknowledge their importance but won't reward findings related to these.
- IAM Layer: An identity and access control layer sits in front of a number of our services. Please note that a vulnerability discovered within the IAM layer on one website e.g. health.yoti.com, is highly likely to extend to other services that rely on IAM e.g. hub.yoti.com. Vulnerabilities within IAM will not be rewarded multiple times across services, unless there is a clear and obvious difference between reported vulnerabilities.
Program Overview
Yoti aims to enhance security through collaboration with the security community. We prioritize the safety of our business and customers by encouraging the discovery of vulnerabilities.
- Response Times: Expect a response within 3 business days and a bounty decision within 10 days after a legitimate issue is validated.
- App Focus: Yoti's primary product is our mobile app (Android and iOS) alongside hosted backend services and the e-signing platform, Yoti Sign. These are key areas of interest for our bug bounty program.
- Eligibility & Disclosure: Report issues promptly following HackerOne's guidelines, with detailed, reproducible steps. Only the first unique report received will be rewarded.
Program Rules
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- Provide us a reasonable amount of time - 90 days - to resolve the issue before any disclosure to the public or a third-party.
Scope
A list of assets is included in the Structured Scope Section. For detailed guidance on how to use Yoti services and applications, please see: developers.yoti.com. Please note that any vulnerabilities discovered within services listed on our Developer documentation site will be considered for reward.
Rewards
Rewards vary by the severity of vulnerabilities, at Yoti's discretion. We aim to reward innovative and severe vulnerabilities.
Critical severity bug examples
- Remote code execution on production systems housing sensitive data or functionality
- Arbitrary access to any user’s profile or sensitive data
High severity bug examples
- Remote code execute on a non-critical system
- Arbitrary access to a single user’s profile or sensitive data
- Remote code execution in mobile client (Android, iOS)
Medium severity bug examples
- Significant authentication or authorisation bypass
- Cross Site Scripting on www.yoti.com working on all browsers
- Cross Site Request Forgery on critical actions
- Leakage of personally-identifiable information
- Insecure data storage
Low severity bug examples
- Leakage of technical information that has a demonstrable impact
- Debug functionality
Qualifying Vulnerabilities
Any design or implementation issue that is reproducible and substantially affects the security of Yoti users is likely to be in scope for the program. When in doubt, consider what an attack scenario would look like. How would the attacker benefit? What would be the consequence to the victim? The Google Bug Hunters University guide may be useful in considering whether something has impact.
Exclusions
- The website www.yoti.com is currently out of scope as it is a marketing website
- The form at www.yoti.com/business/esignatures/free-trial is strictly out of scope
- Clickjacking on pages with no sensitive actions
- Unauthenticated/logout/login CSRF
- Attacks requiring MITM or physical access to a user's device
- Previously known vulnerable libraries without a working Proof of Concept
- Missing best practices in SSL/TLS configuration
- Any activity that could lead to the disruption of our service (DoS, or other high-rate attacks)
- Resource exhaustion type attacks
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Spamming, email spoofing, or phishing attacks
- Social engineering of Yoti staff or customers
- Any physical attempts against Yoti property or data centers
- Rooted mobile devices are not in scope
- Self-XSS (tricking someone to running scripts in their console)
- Bugs that cause the application to not function, but that are not security-related. For instance, modifying the data sent to our servers and causing your account to get into an unusable state might be possible but is not in scope
- Web bugs that only affect outdated versions of Chrome, Firefox, Safari, IE10 or Edge
Known Issues
The following issues are known about and are not eligible for bounties:
- Lack of rate limiting via our APIs. This is a known issue and something we are working towards resolving.
Yoti SICAP Liveness detection service campaign (March 2024)
Scope:
We are inviting research to test Yoti's end-to-end Secure Capture Liveness detection software here. The service ingests a live video/image stream and returns an age estimation to end-users. That's it!
The entire purpose of this specific campaign is to test injection attacks against our end-to-end service.
In order to be successful, researchers will need to bypass the camera capture step, replace the camera's real-time stream using a prerecorded video or image and finally, receive a valid age or liveness response from the back-end service (200 OK).
Remember, Liveness detection uses your camera in real-time, whereas an attack uses pre-recorded video or images to trick the back-end service!
Reward
We'll be paying a flat rate of $1000 per legitimate vulnerability!
{F3118074}
Attack examples:
- Man in the middle:
- Successfully Intercept and modify a secure request changing the image captured by the Yoti Client-side Web Face Capture Module and get a model estimation from the back-end service.
- Replay attacks:
- Reuse of a previously valid payload request to perform a second request, receiving a second estimation over the same image.
- Software attack:
- Use any software program to simulate a real camera device and use it to inject a pre-captured image.
- Hardware attack:
- Use any hardware to simulate a real camera device and inject a prerecorded video.
- Other:
- Be creative! Any unknown attack type that allows you to send a pre-capture image bypassing the SICAP capture and get a valid model estimation in a secure request.
In scope
- Purely injection style attacks that are successful against the e2e service are in scope.
- Tricking the SICAP back-end into believing what you have uploaded is a genuine image.
NOT in scope
- modifications to the front-end response (through response capture), this is not considered a successful "end-to-end" attack as it has not passed through our back-end.
- the service itself that is used to facilitate the test; this website has been quickly propped up for Campaign purposes:
- Google Oauth, DNS, SSL, certificate issues, headers, XSS, SQL etc are not what we're concerned about. This is not a traditional type of test!
- NOTE: simply changing the
?secure=true from true to false (or removing it) is not considered a bypass and won't be accepted as a find, unfortunately
Guidance:
- Login to our SICAP Liveness scan demo service with a valid Gmail account.
- Feel free to select any of the metadata options on the Settings page; it doesn't matter which option you choose.
- Test some injection attacks! The guidance on this page is a good place to start.
Additional:
- There are multiple tutorials and YouTube videos on “how to inject videos” on webcams, please see them for inspiration and ideas!
- Software programs such as FakeCam and ManyCam, or any other virtual camera should provide an idea of what we're looking for.
You'll need to log in using a valid Gmail account:
{F3118078}
You'll then want to "perform the scan" via the Scan tab:
{F3118087}
A successful injection attack will be a situation whereby you are able to successfully manipulate the system to receive a model estimation response back from the server side, calling /v1/age or /v1/age-antispoofing with an altered image or secure payload, and receiving a 200 OK response.
You may try as many times as you wish, but please note that rate limiting is not in effect, so brute forcing attempts are not wanted and will not be rewarded.
SICAP Privacy notice
This is very important, so please read carefully:
the "secure" parameter within the GET URI is not something we are concerned about and are well aware of - simply changing or removing this parameter is not a valid find.
All end-to-end attempts will be recorded within our back-end. This will include the request ID, the associated email address and the images and/or videos that are used as part of the attempted injection attack(s).
Data is kept entirely separate from other Yoti data, stored securely within Google Cloud and access restricted to certain members of Yoti. All data will be removed at the end of the campaign.
All images, video and metadata will be removed at the end of the campaign, unless we specifically reach out to those successful and explicitly ask you for permission to retain the data that relates to a successful attempt (images and/or video).
Please note that you do not need to use your own self as the subject within the images/video that you upload, a successful attack could consist of data that contains any image/video you so choose, as long as it returns a successful response.
As outlined above, Yoti may use your information to improve this specific technology. All data will be permanently deleted at the end of the campaign period (maximum 28 days after completion of campaign). For more information please contact [email protected]
In summary, please visit our Liveness detection service, log in using a Gmail account and attempt to upload a pre-recorded video or image to our back-end. A successful 200 response (for "injected images") will be rewarded!
