Hello from the other side. Interview with a bug bounty hunter.
Earlier this month Belgian bug bounty hunter, Inti De Ceukelaire disclosed a creative hack that affects hundreds of companies. The trick involves exploiting faulty business logic in popular helpdesk and issue trackers to gain access to intranets, social media accounts or most often Yammer and Slack teams. You can read about the details on Inti's own blog post. I was impressed by the creativity needed to come up with this exploit and curious about the process involved, so I decided to ask Inti some questions, and I'm sharing his answers with you.
Hello Inti, can you briefly introduce yourself to our readers?
I'm Inti, bug bounty hunter at Intigriti and Hackerone. I live in Aalst (Belgium) and spend my days breaking stuff.
Last week I read your blog post about what you have since called 'Ticket Trick' and I was impressed by your creativity to find this exploit. How did you come up with the idea to try out this trick?
I participate in bug bounty programs, which means that certain websites offer money to responsible security researchers that discover unique vulnerabilities. As there's a lot of competition, you need to keep looking for stuff others haven't already found. I thought Slack was an interesting attack vector because it often holds sensitive information and sometimes only requires a valid company e-mail. So I grabbed a beer, laid down in the sofa and started thinking about all the possible attack vectors. Suddenly I had this wild idea - and it turned out it worked. I generally try everything that comes into my mind. Even though that only works for a few times, it pays off. ;-)
As someone who is usually working on the opposite side, trying to secure code, I often wonder what a pentesting session looks like. Where do you work? Is it something you also do in your free time from your couch? Or do you sit in an office?
During the day I work as a digital creative coder at a radio station called Studio Brussel. It involves some programming and some social media, but no security. I try not to mix my hobby with my professional job. I'm afraid I'd lose my creativity if I did. I don't hack that often: maximum a few hours a week. It can be at the table, on the couch or on my bed - whatever is comfortable at that moment.
How do you start? Do you have a cheat sheet? Do you have some inputs to test if there is sufficient input validation or output escaping?
I'm really chaotic so I don't really have a checklist, I just use my gut feeling. Most of the time I start of with something called recon: listing all interesting target information, subdomains, IP addresses, whatever I can find. I try to see the bigger picture and understand the business logic before I even start hacking. If you only look for the standard, text-book vulnerabilities, you'll miss a lot of the more clever and complex flaws. When it comes to input, I try to cover as many vulnerabilities possible in one payload. Whenever I discover something interesting, I play around with it for a while and throw a lot of nonsense into it, just to see how the system reacts to it. The best bugs can often be found in the more remote parts of a web application, so I try to dig as deep as I can.
What do you think makes a good pentester? Any tricks up your sleeve you can share us?
I'm not a pentester so I can't really speak for pentesters in general, but I think motivation and persistence are the most important assets. Most people won't even consider looking for security vulnerabilities in Google because they have the best engineers in the world, yet they pay out millions of bug bounties every year. I'm working on a target for over 2 years and now I'm starting to get to the really interesting bugs. It takes a while. The problem with normal pentesting is that the testers are rewarded a set amount, whether they find critical vulnerabilities or not. I believe there are still plenty of bugs left in Facebook, it just takes someone that is willing to dig deep enough.
When you realized the scale of the Ticket Trick, what was your first thought?
I had mixed feelings. I felt amazed and immediately thought of the bug bounties I could collect with it, but on the other hand I was shocked that this was possible. Whenever you find something like this, you suddenly own a lot of precious information malicious parties would be very interested in. The disclosure process is a tough one: you need to inform as many affected companies as possible, but on the other hand, you need to make sure the information doesn't get leaked or abused.
Why did you decide to release the information before collecting more bounties?
Doing the right thing is more important than collecting bounties. I think I had my fair share and now want to give back to the community. Besides, I've been informing companies about this issue for months, so more and more people knew about it. I didn't want it to get leaked or abused by someone with bad intentions.
How did you feel about the responses from affected companies?
Most of the responses were satisfying. Some companies didn't really care about it, but at the end of the day, it's their loss. Being rejected as a security researcher is part of the game. At least I didn't get any lawsuits. 10 years ago, that probably would've been the case.
One last question, on reddit I read that you claimed $8,000 in bug bounties, do you have any cool plans to spend this money?
In total, I got more than $20,000 from this bug. More than half of it goes to taxes. I spend the rest on normal things like travel trips, going out for dinner, ... nothing crazy. :-)
Thank you very much for your time and good luck hunting in the future!
The bug is still out there. It isn't something that can be fixed right away. Over the past few months, I contacted dozens of companies and affected vendors as part of their bug bounty programs in order to get their setup fixed.
The bug is still out there. It isn't something that can be fixed right away. Over the past few months, I contacted dozens of companies and affected vendors as part of their bug bounty programs in order to get their setup fixed.
Application Security Researcher - R&D Engineer - PhD Candidate
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoApplication Security Researcher - R&D Engineer - PhD Candidate
Earlier this month Belgian bug bounty hunter, Inti De Ceukelaire disclosed a creative hack that affects hundreds of companies. The trick involves exploiting faulty business logic in popular helpdesk and issue trackers to gain access to intranets, social media accounts or most often Yammer and Slack teams. You can read about the details on Inti's own blog post. I was impressed by the creativity needed to come up with this exploit and curious about the process involved, so I decided to ask Inti some questions, and I'm sharing his answers with you.
Hello Inti, can you briefly introduce yourself to our readers?
I'm Inti, bug bounty hunter at Intigriti and Hackerone. I live in Aalst (Belgium) and spend my days breaking stuff.
Last week I read your blog post about what you have since called 'Ticket Trick' and I was impressed by your creativity to find this exploit. How did you come up with the idea to try out this trick?
I participate in bug bounty programs, which means that certain websites offer money to responsible security researchers that discover unique vulnerabilities. As there's a lot of competition, you need to keep looking for stuff others haven't already found. I thought Slack was an interesting attack vector because it often holds sensitive information and sometimes only requires a valid company e-mail. So I grabbed a beer, laid down in the sofa and started thinking about all the possible attack vectors. Suddenly I had this wild idea - and it turned out it worked. I generally try everything that comes into my mind. Even though that only works for a few times, it pays off. ;-)
As someone who is usually working on the opposite side, trying to secure code, I often wonder what a pentesting session looks like. Where do you work? Is it something you also do in your free time from your couch? Or do you sit in an office?
During the day I work as a digital creative coder at a radio station called Studio Brussel. It involves some programming and some social media, but no security. I try not to mix my hobby with my professional job. I'm afraid I'd lose my creativity if I did. I don't hack that often: maximum a few hours a week. It can be at the table, on the couch or on my bed - whatever is comfortable at that moment.
How do you start? Do you have a cheat sheet? Do you have some inputs to test if there is sufficient input validation or output escaping?
I'm really chaotic so I don't really have a checklist, I just use my gut feeling. Most of the time I start of with something called recon: listing all interesting target information, subdomains, IP addresses, whatever I can find. I try to see the bigger picture and understand the business logic before I even start hacking. If you only look for the standard, text-book vulnerabilities, you'll miss a lot of the more clever and complex flaws. When it comes to input, I try to cover as many vulnerabilities possible in one payload. Whenever I discover something interesting, I play around with it for a while and throw a lot of nonsense into it, just to see how the system reacts to it. The best bugs can often be found in the more remote parts of a web application, so I try to dig as deep as I can.
What do you think makes a good pentester? Any tricks up your sleeve you can share us?
I'm not a pentester so I can't really speak for pentesters in general, but I think motivation and persistence are the most important assets. Most people won't even consider looking for security vulnerabilities in Google because they have the best engineers in the world, yet they pay out millions of bug bounties every year. I'm working on a target for over 2 years and now I'm starting to get to the really interesting bugs. It takes a while. The problem with normal pentesting is that the testers are rewarded a set amount, whether they find critical vulnerabilities or not. I believe there are still plenty of bugs left in Facebook, it just takes someone that is willing to dig deep enough.
When you realized the scale of the Ticket Trick, what was your first thought?
I had mixed feelings. I felt amazed and immediately thought of the bug bounties I could collect with it, but on the other hand I was shocked that this was possible. Whenever you find something like this, you suddenly own a lot of precious information malicious parties would be very interested in. The disclosure process is a tough one: you need to inform as many affected companies as possible, but on the other hand, you need to make sure the information doesn't get leaked or abused.
Why did you decide to release the information before collecting more bounties?
Doing the right thing is more important than collecting bounties. I think I had my fair share and now want to give back to the community. Besides, I've been informing companies about this issue for months, so more and more people knew about it. I didn't want it to get leaked or abused by someone with bad intentions.
How did you feel about the responses from affected companies?
Most of the responses were satisfying. Some companies didn't really care about it, but at the end of the day, it's their loss. Being rejected as a security researcher is part of the game. At least I didn't get any lawsuits. 10 years ago, that probably would've been the case.
One last question, on reddit I read that you claimed $8,000 in bug bounties, do you have any cool plans to spend this money?
In total, I got more than $20,000 from this bug. More than half of it goes to taxes. I spend the rest on normal things like travel trips, going out for dinner, ... nothing crazy. :-)
Thank you very much for your time and good luck hunting in the future!
The bug is still out there. It isn't something that can be fixed right away. Over the past few months, I contacted dozens of companies and affected vendors as part of their bug bounty programs in order to get their setup fixed.
Earlier this month Belgian bug bounty hunter, Inti De Ceukelaire disclosed a creative hack that affects hundreds of companies. The trick involves exploiting faulty business logic in popular helpdesk and issue trackers to gain access to intranets, social media accounts or most often Yammer and Slack teams. You can read about the details on Inti's own blog post. I was impressed by the creativity needed to come up with this exploit and curious about the process involved, so I decided to ask Inti some questions, and I'm sharing his answers with you.
Hello Inti, can you briefly introduce yourself to our readers?
I'm Inti, bug bounty hunter at Intigriti and Hackerone. I live in Aalst (Belgium) and spend my days breaking stuff.
Last week I read your blog post about what you have since called 'Ticket Trick' and I was impressed by your creativity to find this exploit. How did you come up with the idea to try out this trick?
I participate in bug bounty programs, which means that certain websites offer money to responsible security researchers that discover unique vulnerabilities. As there's a lot of competition, you need to keep looking for stuff others haven't already found. I thought Slack was an interesting attack vector because it often holds sensitive information and sometimes only requires a valid company e-mail. So I grabbed a beer, laid down in the sofa and started thinking about all the possible attack vectors. Suddenly I had this wild idea - and it turned out it worked. I generally try everything that comes into my mind. Even though that only works for a few times, it pays off. ;-)
As someone who is usually working on the opposite side, trying to secure code, I often wonder what a pentesting session looks like. Where do you work? Is it something you also do in your free time from your couch? Or do you sit in an office?
During the day I work as a digital creative coder at a radio station called Studio Brussel. It involves some programming and some social media, but no security. I try not to mix my hobby with my professional job. I'm afraid I'd lose my creativity if I did. I don't hack that often: maximum a few hours a week. It can be at the table, on the couch or on my bed - whatever is comfortable at that moment.
How do you start? Do you have a cheat sheet? Do you have some inputs to test if there is sufficient input validation or output escaping?
I'm really chaotic so I don't really have a checklist, I just use my gut feeling. Most of the time I start of with something called recon: listing all interesting target information, subdomains, IP addresses, whatever I can find. I try to see the bigger picture and understand the business logic before I even start hacking. If you only look for the standard, text-book vulnerabilities, you'll miss a lot of the more clever and complex flaws. When it comes to input, I try to cover as many vulnerabilities possible in one payload. Whenever I discover something interesting, I play around with it for a while and throw a lot of nonsense into it, just to see how the system reacts to it. The best bugs can often be found in the more remote parts of a web application, so I try to dig as deep as I can.
What do you think makes a good pentester? Any tricks up your sleeve you can share us?
I'm not a pentester so I can't really speak for pentesters in general, but I think motivation and persistence are the most important assets. Most people won't even consider looking for security vulnerabilities in Google because they have the best engineers in the world, yet they pay out millions of bug bounties every year. I'm working on a target for over 2 years and now I'm starting to get to the really interesting bugs. It takes a while. The problem with normal pentesting is that the testers are rewarded a set amount, whether they find critical vulnerabilities or not. I believe there are still plenty of bugs left in Facebook, it just takes someone that is willing to dig deep enough.
When you realized the scale of the Ticket Trick, what was your first thought?
I had mixed feelings. I felt amazed and immediately thought of the bug bounties I could collect with it, but on the other hand I was shocked that this was possible. Whenever you find something like this, you suddenly own a lot of precious information malicious parties would be very interested in. The disclosure process is a tough one: you need to inform as many affected companies as possible, but on the other hand, you need to make sure the information doesn't get leaked or abused.
Why did you decide to release the information before collecting more bounties?
Doing the right thing is more important than collecting bounties. I think I had my fair share and now want to give back to the community. Besides, I've been informing companies about this issue for months, so more and more people knew about it. I didn't want it to get leaked or abused by someone with bad intentions.
How did you feel about the responses from affected companies?
Most of the responses were satisfying. Some companies didn't really care about it, but at the end of the day, it's their loss. Being rejected as a security researcher is part of the game. At least I didn't get any lawsuits. 10 years ago, that probably would've been the case.
One last question, on reddit I read that you claimed $8,000 in bug bounties, do you have any cool plans to spend this money?
In total, I got more than $20,000 from this bug. More than half of it goes to taxes. I spend the rest on normal things like travel trips, going out for dinner, ... nothing crazy. :-)
Thank you very much for your time and good luck hunting in the future!
The bug is still out there. It isn't something that can be fixed right away. Over the past few months, I contacted dozens of companies and affected vendors as part of their bug bounty programs in order to get their setup fixed.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoApplication Security Researcher - R&D Engineer - PhD Candidate
Earlier this month Belgian bug bounty hunter, Inti De Ceukelaire disclosed a creative hack that affects hundreds of companies. The trick involves exploiting faulty business logic in popular helpdesk and issue trackers to gain access to intranets, social media accounts or most often Yammer and Slack teams. You can read about the details on Inti's own blog post. I was impressed by the creativity needed to come up with this exploit and curious about the process involved, so I decided to ask Inti some questions, and I'm sharing his answers with you.
Hello Inti, can you briefly introduce yourself to our readers?
I'm Inti, bug bounty hunter at Intigriti and Hackerone. I live in Aalst (Belgium) and spend my days breaking stuff.
Last week I read your blog post about what you have since called 'Ticket Trick' and I was impressed by your creativity to find this exploit. How did you come up with the idea to try out this trick?
I participate in bug bounty programs, which means that certain websites offer money to responsible security researchers that discover unique vulnerabilities. As there's a lot of competition, you need to keep looking for stuff others haven't already found. I thought Slack was an interesting attack vector because it often holds sensitive information and sometimes only requires a valid company e-mail. So I grabbed a beer, laid down in the sofa and started thinking about all the possible attack vectors. Suddenly I had this wild idea - and it turned out it worked. I generally try everything that comes into my mind. Even though that only works for a few times, it pays off. ;-)
As someone who is usually working on the opposite side, trying to secure code, I often wonder what a pentesting session looks like. Where do you work? Is it something you also do in your free time from your couch? Or do you sit in an office?
During the day I work as a digital creative coder at a radio station called Studio Brussel. It involves some programming and some social media, but no security. I try not to mix my hobby with my professional job. I'm afraid I'd lose my creativity if I did. I don't hack that often: maximum a few hours a week. It can be at the table, on the couch or on my bed - whatever is comfortable at that moment.
How do you start? Do you have a cheat sheet? Do you have some inputs to test if there is sufficient input validation or output escaping?
I'm really chaotic so I don't really have a checklist, I just use my gut feeling. Most of the time I start of with something called recon: listing all interesting target information, subdomains, IP addresses, whatever I can find. I try to see the bigger picture and understand the business logic before I even start hacking. If you only look for the standard, text-book vulnerabilities, you'll miss a lot of the more clever and complex flaws. When it comes to input, I try to cover as many vulnerabilities possible in one payload. Whenever I discover something interesting, I play around with it for a while and throw a lot of nonsense into it, just to see how the system reacts to it. The best bugs can often be found in the more remote parts of a web application, so I try to dig as deep as I can.
What do you think makes a good pentester? Any tricks up your sleeve you can share us?
I'm not a pentester so I can't really speak for pentesters in general, but I think motivation and persistence are the most important assets. Most people won't even consider looking for security vulnerabilities in Google because they have the best engineers in the world, yet they pay out millions of bug bounties every year. I'm working on a target for over 2 years and now I'm starting to get to the really interesting bugs. It takes a while. The problem with normal pentesting is that the testers are rewarded a set amount, whether they find critical vulnerabilities or not. I believe there are still plenty of bugs left in Facebook, it just takes someone that is willing to dig deep enough.
When you realized the scale of the Ticket Trick, what was your first thought?
I had mixed feelings. I felt amazed and immediately thought of the bug bounties I could collect with it, but on the other hand I was shocked that this was possible. Whenever you find something like this, you suddenly own a lot of precious information malicious parties would be very interested in. The disclosure process is a tough one: you need to inform as many affected companies as possible, but on the other hand, you need to make sure the information doesn't get leaked or abused.
Why did you decide to release the information before collecting more bounties?
Doing the right thing is more important than collecting bounties. I think I had my fair share and now want to give back to the community. Besides, I've been informing companies about this issue for months, so more and more people knew about it. I didn't want it to get leaked or abused by someone with bad intentions.
How did you feel about the responses from affected companies?
Most of the responses were satisfying. Some companies didn't really care about it, but at the end of the day, it's their loss. Being rejected as a security researcher is part of the game. At least I didn't get any lawsuits. 10 years ago, that probably would've been the case.
One last question, on reddit I read that you claimed $8,000 in bug bounties, do you have any cool plans to spend this money?
In total, I got more than $20,000 from this bug. More than half of it goes to taxes. I spend the rest on normal things like travel trips, going out for dinner, ... nothing crazy. :-)
Thank you very much for your time and good luck hunting in the future!
The bug is still out there. It isn't something that can be fixed right away. Over the past few months, I contacted dozens of companies and affected vendors as part of their bug bounty programs in order to get their setup fixed.
Table of contents
Application Security Researcher - R&D Engineer - PhD Candidate
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.