HotDoc
- $50 – $8,000 per vulnerability
New features and Bonus Opportunities on HotDoc Dashboard!
There have been some recent updates to HotDoc Dashboard on the HotDoc program. We highly recommend you take a look at this additional attack surface – which hopefully means more vulnerabilities! Here is what’s new:
Update Invitation Flow
What's this feature about?
Managers are now able to invite a user to multiple clinics with Dashboard Only access level.
How does it work on the Dashboard?
A manager can invite a user with Dashboard Only access to multiple clinics by either selecting certain clinics or choosing to select all the clinics the manager has access to. Check out How to add a new user account for Dashboard Switching in dashboard user switching support article to see the steps to invite a user to multiple clinics.
How does it work?
For a manager who has access to multiple clinics, the Dashboard allows them to invite other users to multiple clinics by making these requests:
curl 'https://bugcrowd.hotdoc.com.au/api/dashboard/clinic_user_accesses' \
-H 'acting-for: 3770' \
-H 'authorization: Token token=#{authentication_token}, email=#{email_of_manager}' \
-H 'content-type: application/json' \
-H 'accept: application/au.com.hotdoc.v3' \
--data-raw '{"clinic_user_access":{"access_level":"dashboard_only","email":#{email_of_new_user},"clinic_ids":[],"can_manage_clinic_user_accounts":#{boolean},"invite_to_all_clinics":true}}' \
curl 'https://bugcrowd.hotdoc.com.au/api/dashboard/clinic_user_accesses' \
-H 'acting-for: 3770' \
-H 'authorization: Token token=#{authentication_token}, email=#{email_of_manager}' \
-H 'content-type: application/json' \
-H 'accept: application/au.com.hotdoc.v3' \
--data-raw '{"clinic_user_access":{"access_level":"dashboard_only","email":#{email_of_new_user},"clinic_ids":#{an_array_of_clinics, for example: ['1', '2']},"can_manage_clinic_user_accounts":#{boolean},"invite_to_all_clinics":false}}' \
Note that if a new clinic user is invited to multiple clinics, their sidebar access will be reduced. It means a user with Dashboard and Sidebar access level will be reduced to have Dashboard Only if invited to a second clinic. Under the same logic, a user with Sidebar Only access level will be reduced to No Access if invited to another clinic.
Important: we are aware of an issue with Clinic User Access escalation. Broken authorization which allows Clinic Users to interact with products they cannot see in the UI via the API directly is already included in Out of Scope.
Bonus Opportunity - First to Find Authentication Vulnerabilities on Focus Areas:
- Clinic User Authentication
- User Inviting (above)
- User Switching (new backend updates make testing more accessible, read more about it in the documentation https://support.hotdoc.com.au/hc/en-gb/articles/4406133885977 Dashboard-Switching )
| Severity | Current Bounty | Bonus Bounty |
|---|---|---|
| P1 | $4000 | $500 |
| P2 | $1250 | $500 |
| P3 | $500 | $100 |
Have fun! As always, please see the program brief for the full details around testing. If you have any questions, please reach out to support@bugcrowd.com.
Get out there and lay claim to those bugs!
