Earlier this month Belgian bug bounty hunter, Inti De Ceukelaire disclosed a creative hack that affects hundreds of companies. The trick involves exploiting faulty business logic in popular helpdesk and issue trackers to gain access to intranets, social media accounts or most often Yammer and Slack teams. You can read about the details on Inti's own blog post. I was impressed by the creativity needed to come up with this exploit and curious about the process involved, so I decided to ask Inti some questions, and I'm sharing his answers with you.
Hello Inti, can you briefly introduce yourself to our readers?
I'm Inti, bug bounty hunter at Intigriti and Hackerone. I live in Aalst (Belgium) and spend my days breaking stuff.
Last week I read your blog post about what you have since called 'Ticket Trick' and I was impressed by your creativity to find this exploit. How did you come up with the idea to try out this trick?
I participate in bug bounty programs, which means that certain websites offer money to responsible security researchers that discover unique vulnerabilities. As there's a lot of competition, you need to keep looking for stuff others haven't already found. I thought Slack was an interesting attack vector because it often holds sensitive information and sometimes only requires a valid company e-mail. So I grabbed a beer, laid down in the sofa and started thinking about all the possible attack vectors. Suddenly I had this wild idea - and it turned out it worked. I generally try everything that comes into my mind. Even though that only works for a few times, it pays off. ;-)
As someone who is usually working on the opposite side, trying to secure code, I often wonder what a pentesting session looks like. Where do you work? Is it something you also do in your free time from your couch? Or do you sit in an office?
During the day I work as a digital creative coder at a radio station called Studio Brussel. It involves some programming and some social media, but no security. I try not to mix my hobby with my professional job. I'm afraid I'd lose my creativity if I did. I don't hack that often: maximum a few hours a week. It can be at the table, on the couch or on my bed - whatever is comfortable at that moment.
How do you start? Do you have a cheat sheet? Do you have some inputs to test if there is sufficient input validation or output escaping?
I'm really chaotic so I don't really have a checklist, I just use my gut feeling. Most of the time I start of with something called recon: listing all interesting target information, subdomains, IP addresses, whatever I can find. I try to see the bigger picture and understand the business logic before I even start hacking. If you only look for the standard, text-book vulnerabilities, you'll miss a lot of the more clever and complex flaws. When it comes to input, I try to cover as many vulnerabilities possible in one payload. Whenever I discover something interesting, I play around with it for a while and throw a lot of nonsense into it, just to see how the system reacts to it. The best bugs can often be found in the more remote parts of a web application, so I try to dig as deep as I can.
What do you think makes a good pentester? Any tricks up your sleeve you can share us?
I'm not a pentester so I can't really speak for pentesters in general, but I think motivation and persistence are the most important assets. Most people won't even consider looking for security vulnerabilities in Google because they have the best engineers in the world, yet they pay out millions of bug bounties every year. I'm working on a target for over 2 years and now I'm starting to get to the really interesting bugs. It takes a while. The problem with normal pentesting is that the testers are rewarded a set amount, whether they find critical vulnerabilities or not. I believe there are still plenty of bugs left in Facebook, it just takes someone that is willing to dig deep enough.
When you realized the scale of the Ticket Trick, what was your first thought?
I had mixed feelings. I felt amazed and immediately thought of the bug bounties I could collect with it, but on the other hand I was shocked that this was possible. Whenever you find something like this, you suddenly own a lot of precious information malicious parties would be very interested in. The disclosure process is a tough one: you need to inform as many affected companies as possible, but on the other hand, you need to make sure the information doesn't get leaked or abused.
Why did you decide to release the information before collecting more bounties?
Doing the right thing is more important than collecting bounties. I think I had my fair share and now want to give back to the community. Besides, I've been informing companies about this issue for months, so more and more people knew about it. I didn't want it to get leaked or abused by someone with bad intentions.
How did you feel about the responses from affected companies?
Most of the responses were satisfying. Some companies didn't really care about it, but at the end of the day, it's their loss. Being rejected as a security researcher is part of the game. At least I didn't get any lawsuits. 10 years ago, that probably would've been the case.
One last question, on reddit I read that you claimed $8,000 in bug bounties, do you have any cool plans to spend this money?
In total, I got more than $20,000 from this bug. More than half of it goes to taxes. I spend the rest on normal things like travel trips, going out for dinner, ... nothing crazy. :-)
Thank you very much for your time and good luck hunting in the future!
The bug is still out there. It isn’t something that can be fixed right away. Over the past few months, I contacted dozens of companies and affected vendors as part of their bug bounty programs in order to get their setup fixed.