It seems like we’re hearing about hacking problems more and more now, from government hacks to the recent HBO hack. And since the internet isn’t going anywhere soon, all we can do is find ways to patch the security holes that allow predators to get in.
That’s the goal of bug bounty programs. They’re projects that companies and organizations start to get people to find and report website vulnerabilities. Think of these hackers as the good guys — hackers in white hats. Plenty of big companies run bug bounty programs, including Facebook, Google and Uber.
You might think the people doing this kind of work are seasoned pros, but often the hackers making bug bounty money are teens like Jack Cable. He competed against 600 hackers from around the world in the Hack the Air Force, a partnership between the Department of Defense and HackerOne, a bug bounty platform. Cable sat down with Marketplace Tech’s Ben Johnson to talk about his win. An edited excerpt of their interview follows.
Ben Johnson: My condolences on the end of your summer break. You have to go be a senior in high school. But you were pretty busy this summer.
Jack Cable: Yeah, so this summer I participated in the Hack the Air Force program, and that was the U.S. government’s third bug bounty program. So they invited 600 of the top hackers from across the world to try to find vulnerabilities in the Air Force’s site.
Johnson: And you won the whole thing?
Cable: Yeah, so I found 40 vulnerabilities, and that placed me first in the leader board.
Johnson: Do you have a favorite?
Cable: So I found what’s known as an XML external entities vulnerability. That handles the applications processing of XML, which is a type of input data. I found that I could give it a URL and the application would make a request to that website. And I was able to escalate that after working on for a few hours into a remote code execution. So that would allow me to basically do whatever I wanted. So I could access all the user data that was on the website and I could change anything that I wanted to.
Johnson: Wow. How did you get into this?
Cable: I was 15 and I accidentally stumbled across a vulnerability in a financial site. I found that I was able to send negative amount of money to other users, and that would effectively steal money from their accounts. That financial site ran a bug bounty program, so I submitted to there. And then I sort of got into hacking from there.
Johnson: It seems like you’re one of the good guys. Why did you decide to be a good guy?
Cable: I try to be because it’s really risky if you try to exploit vulnerabilities that you find. You could wind up in jail or be sued by different companies. The advantages of these bug bounty programs are great because you get recognition from the companies, they pay you and you get to say you found a vulnerability rather than just having to hide it.
For more on hacking for good, you can visit our series on hacktivism.
|Is ‘hacktivism’ a force for good … or chaos?|
|How hacktivism intersects with the law|
|Founder of hacker group LulzSec explains the chaos of hacktivism|