New story
Julie Chu
in
Bugs
November 29 12:44

Who is a "white hacker," how to become one and how much you can earn

This is the story of a hacker from St. Petersburg who found a vulnerability in PayPal and received from the company about US$ 70 thousand in gratitude
860
1
I was always interested in computer science, and I always wanted to "break" something, but at the same time so that no one was hurt, and the protection and quality of services improved. I looked for different applications and sites and asked the creators if they could be tested for strength. Most often, they refused me. Most likely, they were afraid, because such a proposal seemed strange and unacceptable.
But I continued to surf the Internet and spot various unprotected places. In 2009, I found webcams in one of the offline stores of the popular trading network, to which anyone could connect and intercept a video signal. I was 15 years old then.
I reported this to the owners. They said thanks and closed the vulnerability. I offered them my security services, but they refused. And then they were hacked, and for some reason, they thought of me, although this was not so. From time to time, I continued to search for vulnerabilities like open databases of online stores that contained order information and personal data of customers - and contacted the owners to close the holes.
In 2015, I found out about the "bug bounty" (a reward for found vulnerabilities paid by IT companies - vf.sg) and registered with HackerOne, a global platform where developers of various applications and services allow hacking their products.
VKontakte, Mail.ru Group, Sony, Adobe, and many other well-known organizations, including the US Department of Defense, are registered there. They either pay for the found "holes" or give thanks otherwise. Sometimes they organize public events: they offer everyone to check their strength in breaking into their services. 
Regardless of the program, 90 days after the owner of the resource was informed of the vulnerability, hackers tell the community about their findings: what they found and how they managed it. The first $100 I earned by hacking one service and gaining access to the readme.txt file.
It was straightforward, and I did not expect to be paid. But at HackerOne there is a payout range that is divided by the severity level of the discovered vulnerability.
I'm self-taught: I read various articles, sat on forums, put knowledge into practice.There are chats in which hackers sit, - asked for advice there. Sometimes they helped me just like that, sometimes for a percentage of the reward. In addition, at that time, I read many open reports on HackerOne, in which hackers described how they discovered a particular vulnerability.
For the company to accept the report, the hacker needs to prove that he really found a vulnerability that could cause harm. I can't say: "I walked past the garage, I saw a hole in the wall" - they simply won't accept such a report and ask them to justify what the hole is and what threat it poses, even to a small extent. A good report looks like this: "I walked past the garage, I saw that the owner forgot to remove the key from the lock, opened it, went inside, did not touch anything, and then brought the owner and showed how you can get into the garage."
There was a lot of useful data in these reports. I also practiced on simulators - services like Hack The Box, in which the developers deliberately left holes.
Money and Payments
I don't think how much time I spend on work. It all depends on the mood and the volume of tasks. If there are important matters, I do them, if I have free time, I "hunt" for the sake of interest. In a month I earn from $ 2000 to $ 8000, on average about $ 5000.
The highest vulnerability payments among Russian companies are with Mail.ru Group, from $ 2,000 to $ 4,000. Adobe usually pays nothing, just thanks. And Sony sends T-shirts. But I didn't receive a single one thanks to our valiant customs.
I got my most significant fee for hacking for PayPal: for three months of work, they paid me about $ 70 thousand. But I do not chase money - sometimes I participate in free projects to improve my level.
What vulnerabilities can be detected most often
They are always different, it is difficult to sort them by "popularity". But most often I find SQL injections, SSRF and RCE.
To do this, just find the vulnerable service that accesses the internal network. This type of vulnerability could lead to a complete compromise of the company's infrastructure.
Sometimes very experienced specialists miss or simply do not have time to patch holes in the security system. Against zero day - vulnerabilities, not everyone can fight. So only a shut down system or a system that no one knows about can be 100% safe.
Someone may accidentally make a public database with user data or an admin panel with a database. Sometimes such errors occur due to carelessness when developers forget to turn off some settings (debug mode) before publishing a service or update.
That is, in the "normal" mode access to this information can only be obtained by employees of the organization, and access will be open to all Internet users. Other gaps are related to technical nuances: when something breaks when updating the system. The hardest thing is to crack the services of large companies: they carefully monitor their infrastructure, plus the foundation itself is more complex and is based on microservices.
Recently it became known about the leak of user data in Sberbank. As far as I know, they are doing well with protection. Attackers usually look for deliberately vulnerable victims. Some companies know about vulnerabilities, but do nothing with them. A few years ago, I accidentally discovered the possibility of SQL injection at one of the largest electronics retailers in Russia. The vulnerability has not yet been fixed.
How to look for vulnerabilities
First, I study the network infrastructure - either manually, sorting through the subdomains, or using the Shodan and Censys services.
So I get information about the nodes that make up the network. Looking at them, I understand where potential problems may be hiding. I use vulnerability scanners - they access the node and find its weak points by answers. Then I have to check to see if there really is a vulnerability.
I am regularly offered to do "black" work. Most often, acquaintances of acquaintances who want big and easy money come to and do not think about the risks. The most popular query: "Let's crack the bank." They think that I can subjugate an ATM, and he will spit out money. Or they offer to read data on bank cards.
In second place is a request to hack one or another online store. Some comrades want to hack into the sites of bookmakers and binary options services or bitcoin wallets. Sometimes they ask to cut a page on VKontakte, but this request is, surprisingly, only in the sixth-seventh place in popularity.
I never agreed: all such offers are illegal and contrary to my internal principles.
Team
In 2018, I met with Andrei Leonov, who a year earlier, found a vulnerability on Facebook and earned $ 40 thousand. Before the meeting, we corresponded a lot, and once met at Zero Nights.
We talked and agreed to look for bugs together: we wanted to develop. We decided to increase the level together. Gradually, the team grew to six people. Thanks to teamwork, it is possible to quickly cope with complex vulnerabilities and carry out more complex projects that I would hardly undertake to do alone. For example, auditing systems for vulnerabilities.
I either looked for guys on purpose, or found thanks to chance. Once I found a hole in one company and began to look for a way to inform its developers about it. Almost always, this is not an easy task: technical support often does not understand what is being discussed.
We agreed to work together - it was necessary to automate part of the tasks.
Ethics of White Hackers
More often than not, we do not disclose vulnerability data if the company in which we found them does not want this. That is, we can't say what, where, and how to find: this information is only for company representatives.
In addition, I use the "do no harm" principle: it is unacceptable for me to "put" a server or steal data. This is considered a violation of ethics, prosecuted both by law and by the rules of HackerOne.
I am interested in developing myself, learning about new technologies. And it's better to "break" the services for the benefit, and not to the detriment: not only they will not be punished, but they will also tell about interesting nuances related to security, which you would not have known otherwise.