Spoofing file extensions on HackerOne

While testing HackerOne, I observed an issue with the file upload functionality. It seems that on File upload, the uploader uses the content within the file for determining the content type of file instead of filetype .

Although this does not pose much of a risk since the changed extensions would be visible at download time but wanted to blog about this.

This raises below 2 scenario:

Scenario 1

• Open any of your Hackerone report 
• Upload the batch.cmd from https://github.com/csanuragjain/roughProj/blob/master/batch.cmd?raw=true in comment and post the comment

• Open the batch.cmd on the posted comment
• Observe an image gets represented and their is no warning from HackerOne

• User downloads the file, thinking of it as an image file 
• if the user accidentally ignores the downloaded file extensions opens it then malicious batch file gets executed

Scenario 2 

• Open any of your Hackerone report
• Upload the myFile.txt from https://raw.githubusercontent.com/csanuragjain/roughProj/master/myFile.txt in comment and post the comment

• Open the myFile.txt on the posted comment
• You will see a warning from Hackerone, but since the file is txt file so user might just go ahead 

• User downloads the file, thinking of it as an text file

• if the user accidentally ignores the downloaded file extensions opens it then malicious HTML scripts execute

Reason:

1. Content-Disposition: attachment; filename="" in response from hackerone-attachments.s3.amazonaws.com does not contain filename, forcing browser to decide the naming convention. 
2. Since the Content type got decided on basis of file content header instead of extension by HackerOne so few browser would simply save it on user computer with incorrect extension, which caused the above Scenarios 1 and 2

HackerOne Report:

https://hackerone.com/reports/268123 (Closed as Informative)