1. Hello Yann. Tell us about yourself, and how you first started hacking.
Hi Elodie ! Well when I was 5 years old, my father brought a computer at home. Around the age of 10, I started to get interested in various techniques to compromise machines. It was the glorious time of « trojans » and other RAT (Netbus, Subseven, backorifice…) : I was fascinated to see how easy it was to take remotely control of machines.
During middle school, I used to fix my teachers’ computers. I quickly realized that the main server was not secured, which could cause a lot of malicious acts : recovering of homeworks, taking control of multimedia rooms, visualizing teachers’ computer screens (VNC like), getting access to our grades… Fortunately, I was a pretty serious student, and I showed them the different breaches, allowing them to strengthen the system.
We were already in responsible disclosure back then !
After studying informatics, I continued to educate myself to improve my knowledge of security. Since then, I have settled in Rennes, where I’m a Bug Hunter on various platforms such as Yogosha, and a lead auditor at SYNETIS, a cybersecurity company. I also had the chance to increase awareness regarding offensive security for the students of l’Ecole Polytechnique de l’Université de Nantes. I have always been attracted to the educational side of security, and I believe you can’t teach security without talking about insecurity, the root causes of vulnerabilities, and learn how to understand and manipulate them.
2. What attracts you in bug hunting ?
Bug Bounty conveys important values of security : curiosity, will to succeed, and sharing of expertise. Hunting bugs allows you to materialize your knowledge. It’s really enriching to learn new techniques, to control vulnerabilities via “simulators” (challs platforms, CTF, etc), but it’s way more thrilling and rewarding to put your knowledge at work on real production targets, and to concretely improve the existing.
Obviously, clients’ gratitude is important (and also bounties !:) But everyone has its own motivations. When Yogosha launched a voluntary program for Amnesty international, the lack of remuneration didn’t stop hunters, including me, to get involved in the mission.
The community’s support is also a great way to progress in security. Yogosha, for example, has a restricted community of researchers. We can easily get to know other hunters, and Yogosha’s team is really accessible and human.
There is also a great tolerance and respect based on individual merit in the Bug Hunter activity. You need to be able to think, analyze, and approach technical challenges in a non-academical way, to discover weaknesses. Therefore, atypical profiles, who didn’t go through a regular university education, are very interesting. Cybersecurity, and particularly Bug Bounty, are jobs accessible to everyone.
Yogosha’s team support is an important part of my presence on their platform. First, they leave a chance to new hunters, by not opening programs only to the best ranking hunters. Rewards are honorable, and we always have the opportunity to prove a vulnerability’s critical assessment. We can rely on Yogosha’s team to support us in our ratings and attack scenarios. On the platform, hunters can also talk with the team and clients.
3. Which Bug Bounty programs did you enjoy most ?
What makes the beauty of our job is that we often come across surprising bugs. For me, the most atypical bugs that I found were in Yogosha’s programs.
One day, our target was an IP address to analyze, for an insurance company. At first, I thought that I wouldn’t find a lot of relevant things, until I noticed a web service exposed on an exotic port.
When I logged to this port, I found a web authentication page which asked for a login and a password to access an AC22 Controller equipment. It was actually an electronic card embedded in the walls, which granted physical access to doors. Employees had to badge in front of the door to enter and come out of the offices and secured zones.
After finding the credentials left by default in the manufacturer’s documentation, it was possible to open the doors remotely, or to lock people inside the premises. The surveillance system (cameras) could also be controlled via this interface. Sometimes, the best bounties are the ones you don’t expect. From a simple IP address, you can find truly surprising things.
Thus, it’s in companies’ best interest to have hunters who tell them which vulnerabilities need to be fixed, before a malicious attacker exploit them.
Still in a Yogosha’s program, I realized that a website on which I was working had already been visited by an attacker. The website had been infected for more than 4 years ! (backdoor ASP .Net, sub-areas defaced, etc.). I immediately gave the information to the security teams, and explained that even though the initial breach (WebDAV) exploited by the attacker had been corrected, backdoors remained. The assailant had even changed the pages, and bounced in the internal network of the company… without anyone noticing it !
4. How do you motivate yourself when you don’t find anything ?
Haha, well first, I try to never find nothing. There is (almost) always something to exploit. Even a weakness that seems useless (leak of technical information, CVE, versions, stacktrace, banner, target profiling, internal IP…), can open the way for us to find future more important flaws.
If I don’t find anything, I start by reducing coffee, and I go take a nap. Then, I start all over again, go back from scratch by forcing myself not to follow my previous hypothesis, to discover new angles of attack.
Clients also enjoy when we tell them which positive security measures and best practices they implemented.
5. Which types of bugs do you prefer to hunt, and on which scopes ?
My favorite type of research is when I try to figure out how the developer built his website. Searching for bugs in the thought process, look at the way the pages are sequenced, and check if an attacker could bypass and harm the system. We’re not talking about technical vulnerabilities, with weaknesses in the code, but of logical vulnerabilities.
Personally, I’m mostly interested in web targets : websites, applications. These technologies are continuously evolving, and are becoming primary targets that hunters need to master.
6. What did Bug Hunting allowed you to do ?
A lot of things ! Beside the fact that I discovered many technologies, and met amazing people, it’s also very useful in my professional life.
Being able to find technical weaknesses & vulnerabilities is not enough to be a bug hunter, especially on highly selective platforms such as Yogosha. You also need to ensure the dissemination of the results, to build awareness and to adapt to your audience. These educational skills taughts me a lot, and I’m more comfortable now when presenting to clients.
It has also become a true asset on my CV. I had the chance to discover weaknesses of famous websites such as Google, Ebay, Microsoft, Mozilla, Java, Oracle, Adobe, RedHat…, and to be on their “Hall of Fame” and acknowledgement pages. This shows the passion and will of a hunter to improve security, and differentiates him from other profiles working in cybersecurity.
In my personal life, Bug Bounty helped be to buy a house, to take care of my family and to travel with my wife ! I have the chance to work in an environment where you don’t see hours go by. I’m truly passionate about what I do, and I make my own agenda with Bug Bounty (I mostly hunt during the night). It’s a really flexible job.
7. Which hackers inspire you ?
I admire hackers who always document their exotic discoveries. The ones who grow the security community by sharing their knowledge in a smart way (responsive disclosure) : detail the weakness, the approach used to discover it, the impact, the criticality, and the ways of correcting it.
To name a project that I particularly admire, I could talk about the founders of the framework BeEF, a modular tool dedicated to cross-site scripting vulnerabilities I find this framework outstanding in illustrating concrete attack scenarios.
8. Which advice can you give to someone who is starting with Bug Bounty ?
The first advice that I can give is : be patient. At first, all hunters will probably face some duplicates, which are the nightmare of our activity. When you know that 50 000 people are looking for the same vulnerabilities as you do, it can quickly discourage you. But among a selective community as Yogosha, you have a lot of chance to bring relevant information and there are drastically less duplicates than on other platforms.
Then, when you find the first flaw which “flags”, when you receive your first “bounty”, you realize that the game was worth it. But you need to be patient, and to take time to perfect yourself, and to gain a lot of knowledge !
In everyday life, you need to document yourself, to do some technological watch, some researches (0dayzs, CVE), to read write-ups, to be creative, inventive, and innovative in your offensive approaches. And obviously, you need to give back by sharing your own discoveries with the community. Education, which I mentioned earlier, is also highly important: you need to know who you’re talking to, illustrate your sayings, and adapt your speech to your audience.