May 3, 2023 • 66 mins
In this podcast, I interview Youssef Sammouda - top Facebook/Meta bug bounty hunter in 2020, 2021 and 2022. He has found numerous bugs on Facebook, including account takeovers. We talk about his methodology, tools he uses, productivity tips and many more!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Getting to Facebook bug bountyleaderboard is a great achievement.
Being the top one is insane.
But today, I'm interviewing the hunter,who has been to one for three
consecutive years there and has foundmultiple account takeovers on Facebook.
He's one of the million dollar hackersand his name is Youssef Sammouda.
(00:23):
Enjoy the interview!
Hello Youssef, thank you so much for joining me today.
First, for those of you who somehow don't know you, could you tell us a few words about yourself?
Hello Greg, thanks for the invitation.
So my name is Youssef Sammouda, I'm 24 years old and I'm from Tunisia.
(00:46):
I started hacking when I was 13 or 14 years old and it's been a long journey.
So now I do mainly bug bounty hunting and penetration testing for some firms and that's it.
(01:09):
How did it start? What did you hack when you were 14 years old?
So when I was 14 years old, it was like, I'm not sure, I started nerfing first, like a bunch of few abilities, and with abilities.
(01:33):
At that time, PHP was the main programming language used for web development and I started to ban PHP.
After that, I kind of teach myself a few things, like I noticed when I was developing web applications.
(01:59):
For example, sometimes I noticed that I can bypass or gain permissions to a few things that I shouldn't have permission to access.
And from that point on, I started to access forums, like it was RTC forums, I guess, RTC or something like that.
(02:29):
After that, when I was 16 or 17, I started doing bug bounty, 3 or 4 years after learning about web bans and web learning.
What bug bounty programs did you start with?
I started with the Facebook bug bounty program.
(02:53):
We'll skip to Facebook in a second, because there's a lot we can talk about Facebook.
But before we go there, so I believe you have to call yourself self-taught, but as from what I know, you did go to university.
(03:17):
Yes, so when I went to university, I went to Canada, studying in Canada to have a computer science degree.
I studied for 3 months or 4 months and I stopped. I found out that I knew everything I was learning in the university.
(03:41):
So I stopped. At that time, it happened that HackerOne had a live hunting event and I made there like $100,000 in one day.
So that changed my mind to go to a lot of universities.
(04:04):
So I started and focused mainly on bug bounty hunting.
So you made $100,000 of bounties in one day. Before this day, approximately, more or less, how much did you make in all the previous years?
At that point, I was doing very well with Facebook, so that's why I got invited to this HackerOne event.
(04:34):
So I guess I made before that, higher than $50,000 or $200,000 for a period of like 2 years.
Okay, so it was really, let's say, maybe not life-changing, but a lot of money compared to in 2 years you made $150,000 or $200,000.
(04:58):
And then all of a sudden you get $100,000 in one day. I'm not at all surprised you decided to drop out of university.
Did you then start hacking full-time or did you still have another job?
Yeah, so after that event, I'm not feeling ashamed of the university, I started mainly doing bug bounty hunting.
(05:23):
I did some penetration testing jobs. It was for like 1 month or 2 months, but mainly it was bug bounty hunting.
And mainly with Facebook program.
Okay, so why did you choose Facebook?
So at that time, starting from 2017 up to I guess last year, it was, to my point of view, from my point of view, it was the best program.
(05:56):
Because I was getting paid more than the other programs.
It made, for example, an average of $40,000 per month.
And I was getting paid like in 3 weeks from reporting the bug.
(06:18):
So that was the best, like the ideal environment for me.
I tried other programs, sometimes I'll get paid well, but after 3 or 4 months.
And sometimes I'll get paid instantly, but the bounty would be less than expected.
(06:40):
Yeah, I saw a lot of your blog posts and it's absolutely amazing how consistently can you get those payouts around the $50,000 mark.
When you decide you want to hack, how do you choose your target?
Yeah, so first of all, the target should be in Facebook, the Facebook ecosystem or the Facebook company now named Meta.
(07:10):
So I chose, for example, I have a few scripts that I made before that would look for inside JavaScript files in each website.
For example, Facebook business, Facebook main website, Facebook store, for example, and Instagram, all of them.
(07:31):
And it would, for example, each day try to find changes in these JavaScript files and if these script files are critical change or a few lines or new JavaScript files were created that may contain something special.
(07:52):
It depends on the filter and the classifier for this case. It would give me a notification on that try and start to manually test it.
I actually thought about doing something like this a long time ago and I've never finally did it. Is this script complex? Because I guess JavaScript files change very often and a lot of times it's not a change that's interesting to us.
(08:25):
Yeah, it's like, of course, the change should be more than two letters, for example. It's obvious maybe they just changed the variable name.
So it has to be, for example, a new line or two lines and with Facebook they developed using React.
(08:46):
So it's like modules. I can, for example, extract the module's name and try to detect new modules added.
And after that from the module name I can, for example, get a hint what this might be.
For example, they have if the module is for client side communication with the backend for Ajax, for example, or Hadoop.
(09:18):
They'll have a certain word in the module name. So, for example, I'd focus on that. Sometimes I will ignore other things like CSS, like things related to graphics.
So I guess it's more specific to the target. You can pull it, you can find hints in other targets and build your script using that information.
(09:47):
So when you see a change in JavaScript, what tools do you use to deobfuscate the JavaScript to understand the JavaScript if you use any tools apart from the browser?
Actually, I use like, there are many Klib based tools like the GS Beautifier or GS Beautify, I guess. So this one I would just try to like add tabs, add spaces and make it readable.
(10:24):
But the actual obfuscation with time I just got used to reading the script very fast. So if you get used to reading variables named as A, B, C, D instead of their real names, it's starting to become very easy.
(10:46):
And do you often use the browser debugger to understand the code or you just don't need it?
I use it like mainly for when I try to drag something in the JavaScript execution. So I try to make breakpoint and after that find the next function and after that until I reach one point where, for example, I'm looking for a symbol or I'm looking for a source or an instance or another.
(11:24):
So I use it, actually I only use three tools. I use the browser and the MIRB suite. So I use those two.
(11:45):
Do you use any extensions in MIRB?
Actually, no, I don't like. I use, for example, a tool called Metamproxy. So it's similar to BIRB, but you have more freedom to write scripts and everything. It doesn't have a graphical interface, a GUI.
(12:11):
So I have it in the middle, this proxy, Metamproxy in the middle and it will forward a request to PIR so I can see the history and everything.
And in the middle, in Metamproxy, I'll program scripts with Python that would do some similar things to BIRB. Just I'll have more freedom. Like, for example, I'm not sure if this is possible in BIRB.
(12:42):
This script would be like instantly monitoring any requests, like in the background, all this stuff.
So in the same type, I want to extract secrets from the requests.
(13:06):
I don't understand, what's that?
Like the Python script, what this Python script would be extracting from those requests or responses?
Yeah, so for example, if I'm looking for, if I have a specific, for example, like a BIRB suite extension that would, for example, for B64 decoded strings and try to decode them and try to find out what's coded or what's inside.
(13:41):
So I'll have a script like that doing it in the JavaScript instantly and it would be saving anything.
For example, in the folder, I'll have another script looking for, I'm not sure, like if I have, I'll have like scripts that are in the middle, like between the browser when I browse their work.
(14:10):
And then have other scripts that do their jobs in the background, like they'll try to scrape the website and look for certain, like inject, for example, XSS payloads and see the response.
A few things like this, but it would get like, for example, the endpoint, the website, everything from the browser or from the browsing history.
(14:45):
Okay, okay, I understand.
And do you have a favorite vulnerability class?
Yeah, it's actually a vulnerability, but an impact, I love account takeovers.
So I actually like GlideSite more than server-side because I enjoy reviewing codes and for an application like Facebook, the only port available would be the GlideSite code, the JavaScript code.
(15:19):
So I enjoy like testing these codes.
I enjoy testing the browsers where this code is getting executed and usually I'll find bugs in the browser or bugs in the files themselves.
Yeah, so I'll get that category like browser-based bugs or XSS, more specifically, I like that.
(15:51):
Yeah, I could definitely foresee this based on the write-ups on your blog with a few of them covered already on my channel.
And what do you think you do differently from other hunters that you have extraordinary results and other hackers don't?
(16:13):
Yeah, so we talked about what's the, so if you have the perfect, like strategy, you'll get the files that you need to manually like test or manually review.
(16:34):
So at that point, you have that will be at the same level.
After that, it depends on the knowledge of JavaScript, knowledge of the browsers, security policies, everything.
So relations between a few features.
(16:55):
So it's mainly knowledge of the JavaScript, how JavaScript works and how browser works.
So you can detect if something's wrong, you'll easily detect it.
And one more thing, like for me, I tried to, if I found something like a weakness, but it's not very critical, it can be used and try to save it.
(17:22):
So for later, for example, it doesn't have any impact, but I tried to save it there.
And if I find, for example, another weakness that can be leaked with that one, I'd come back and change them together.
So that's a good thing you can do, especially in browsers, in 9-Cycle, because you can have like relations between two windows.
(17:49):
You can have iframe, you have relation, parent relation, so you can do a lot of things.
What do you use to keep those notes?
Like, I don't know, Gedi, I guess. Like any text editor in Linux or Windows.
(18:12):
Okay, just simple solution.
Yes.
Okay. And also by looking on your blog, there are a lot of those XSS or account takeovers that have a words of usually at least 40k, I think.
(18:35):
Are there many bugs with lower severity and lower bounties that you just don't write about?
What's the question? Like, why I only focus on big bounties or big impact bugs?
The question is, do you find low impact bugs and not write them on your blog or do you not find low impact bugs?
(18:58):
So in the first 3 or 4 years, I used to report medium impact or not very low, but medium, like the bounty would be around 4 to 5k.
I stopped after that because like most of the time these issues take a long time to fix, so I wait for 3 months to get, for example, 5 or 4k.
(19:28):
And personally, I like to enjoy my work, so when I get paid, I can get motivated to work more. So I'll just be waiting for that bounty to come so I can test again.
So I stopped doing low or medium severity lags and I only focus on big ones.
(19:58):
Okay, that's very interesting. Like for a lot of people, a payout of 4, 5, 6k is a lot and I guess for you it works better to wait for the big one.
This will be a super hard question to answer, but how long do you stay on one functionality until you move on?
(20:20):
Okay, so for the scripts I have, I get a big red notification that this is interesting and I just spend like 3 to 4 days examining everything, trying to attack it from different angles with different tools.
(20:43):
Not tools, like with different attacks. And yeah, after 4 days I just move on. As I said, I try to save the little weaknesses that I can't currently exploit, but I save them for later.
Okay, and how often can you find a bug?
(21:13):
I guess I'll try it, because I'm not very productive I guess. I like to have a balance of 50% work, 50% personal life. I'll have like 80% personal life and 20% work.
(21:38):
So I don't do a lot of work. So it would be for example, I hunt for 2 weeks, I have a confirmation that I reported a valid ATO or a valid critical bug and I'll be testing again after 2 months for example.
(21:59):
Yeah, so it's for example, yeah. And sometimes I'll have like a crazy month where I'm bored and I like to work very hard. So I'll report 4 or 5 ATOs in one month. It happened last year.
(22:24):
Oh wow. All of them valid ATOs on Facebook in one month?
Yeah, I guess it was 4 I guess.
That's crazy. And how does the preparation for the live hacking event look like?
(22:45):
So live hacking events, I'm not like very focused on, I wasn't very focused on HackerOne. Like now I plan to engage more with HackerOne for a bad breath.
But when I was invited, I'll just be familiar like about the target. It won't be familiar like Facebook. So I try to use the same techniques.
(23:19):
And for example, in the last hacking event it worked. But the problem with reporting to another company or target that doesn't know you or your work, it's hard to see the impact of the event.
(23:40):
For example, if I report the Pentax ATOs that I usually report to Facebook, if I report the same back to for example, AmateurZoom for example, they won't have like the same response as Facebook.
(24:02):
They'll be like slow, this is a blind side back. We want our user base won't be infected for example.
Didn't happen with Zoom but I just named one target. So Facebook cares about its client base. The others like it's not that much.
(24:26):
And that's why for example, Simon will pay $500 for XSS that would lead to a can't take off.
I completely understand. Also regarding your hacking style, it seems like you are much more based on understanding what happens, understanding flow and the JavaScript. Do you often brute force or fuzz anything?
(25:00):
Yeah, so if it's one thing about finding like you can find the null bag in JavaScript or a chain of bags, but they explode to write to achieve an attack.
Sometimes it requires brute force for example, but I use brute force with other things. Sometimes for example, I use it to extract data from the server.
(25:30):
For example, if I'm looking for client side bugs, but sometimes you need to access JavaScript files that are not available to you. For example, I need to get JavaScript files in an admin dashboard, but I don't have access to the admin dashboard.
(25:52):
Okay, so I'm trying to, for example, find the CDN that serves JavaScript files and try to brute force a few things. And that would make me download the JavaScript files of the admin dashboard.
From there, I can, for example, prepare an XSS attack, even though I don't have access to the dashboard to test it. I will, for example, find a DOM XSS in the JavaScript file and I know it's loading when slash admin is accessed.
(26:27):
So I can have an attack. Also, for example, I try to extract int pints from these JavaScript files and prepare for server side attacks like IDORS or anything.
Okay, well, these are crazy, crazy sounding attacks. And also, probably there is someone who listens to this podcast who thinks I am also monitoring JavaScript files for changes.
(27:06):
I'm also focusing on client side bugs. I like account takeovers, but I don't have as good results as Józef does. What is your advice to this person? What likely they are doing wrong that they just don't have as great results as you do?
So I would advise to read more about JavaScript, like web docs about JavaScript, spec about JavaScript, especially features in the browsers. Read more about browsers, features and security policies and everything.
(27:49):
Like when you read everything, why this header is present in the request, why this header is present in the response. When it's missing, you notice that and you can notice this weakness and you can link it with other weaknesses to achieve, to have a full working attack or bug.
(28:13):
So I think in the last three years, browsers added a lot of security features. So sometimes people would read the blog, how to, for example, exploit a CSR attack.
They find vulnerable CSR endpoint and everything, and they wonder why it's not working. Sometimes you have like security policies or security features added and the browser would protect against CSR even if it's present.
(28:53):
So they just try and waste time. And if they know new about, for example, an attribute in a cookie or a header, they immediately know that the attack won't work.
So I guess that's the problem, lack of knowledge and specifics in JavaScript and browsers in general.
(29:22):
Ok, and when you want to learn something new, let's assume you know nothing about OAuth, about the protocol itself and you want to learn it. How would you do this? Would you set up your own servers to understand the flows or you just hack?
(29:44):
No, I try to understand, of course, the protocol, how the protocol works. So first thing would do to have like test environment set up. After that, I try to each time have a configuration.
(30:06):
Another configuration than the previous one, for example, for OAuth, I try to have four or five types of OAuth communications type, for example, or exchange type.
And I try to test them all. After that, in the meanwhile, I need to read the spec of OAuth. So I try to read the spec of OAuth, what's recommended by the spec writers, what's recommended, what's enforced by the spec writers.
(30:46):
And yeah, after that, I prepare, for example, I prepare Facebook OAuth and see if they apply the same specs mentioned in the specs.
So if they do it, they do it in the right way and I won't find a bad, if they do it wrong way, like I know and I can explain that.
(31:16):
Also, I try to, for example, sometimes the spec has a fault or is wrong. So sometimes the spec has weakness. So I try to exploit that and report it, for example, to a big company like Facebook.
(31:39):
I get paid even though Facebook is not faulty here because it followed the spec, but I try to get a bounty out of it. And after that, I report to the, for example, the spec writers or to the net bros.
And when you have a specification in front of you, which usually is a huge document, what do you pay special attention to?
(32:11):
Inputs, of course, like user or the inputs that can be controlled by me or, for example, the redirect URI in OAuth. I uncheck, for example, the checks made to that redirect URI to verify it's a valid one.
Yeah, so I focus on that and focus, for example, response type. If it's possible to have in a certain exchange tied with OAuth to have both token and the code.
(32:48):
And if that's possible, can I leak the code or token to, for example, answer open redirects. So I focus on things that I can't control, I can't change in the Nandtech.
Few other things like dark constants or won't have the Nandtechs, I won't read them.
(33:13):
Okay. Do you use any websites with labs like Pentester lab or Hack the Box or maybe do you play any CTFs?
Actually, no, but for example, I read a lot of white papers. I read a lot of write-ups and especially like the new research.
(33:43):
And after I do that, the research, I try to do like a home lab where I can test how to exploit this pen. I have like different levels of difficulties, different cases and try to exploit them.
(34:04):
Oh, wow. I believe those labs are golden, somewhere on your computer.
You can do labs too, like I get two lines are better than one. So if the lab, the one week of the thought about a trick that you do the same code, it's better also to do labs. I encourage people to do labs, but for me, it's about time.
(34:34):
I don't have much time to do that.
Okay. What programming language do you use to create those labs?
So I'm old school, so I use PHP, but I try to, because I have maximum control of the web application, but now I do both JavaScript in the back here and sometimes when I'm testing, I'm testing back there in the front end.
(35:09):
So it became more easier to program.
Okay. You now, you are not a full-time backbound hatter, you also work employed, is this correct?
I'm employed, so I have a company, so I don't from now on, let's say I don't operate as a person, but as a company, so I do my backbound hunting as a company, I do penetration testing jobs as a company.
(35:45):
So it's similar to a full-time backbound hunter, but I operate as a company.
Okay. So you also do pen tests, sort of like a freelancer.
No, because I can have a contract with the company, I do it myself, I have a few people that I know that would help me sometimes, so I outsource some things. I have an employee, so I can also ask them to work on that.
(36:21):
Okay, I understand. And how is your hacking style different when you do pen tests versus when you do backbound t?
So with pen tests, the big privilege is sometimes I have the source code, it would be for example white box testing or gray box testing. That's perfect for me because I like code review, I'm very good at good code review, even for the backend.
(36:58):
So that's a big plus for me. It's easier. Also, I'll try to have like, I'll have like my passive or analysis tool or static analysis tools that I can use directly, so it can make my work easier.
(37:22):
What tools do you use for this?
No, I have my own tools that I use. It's not special, but I have for example, I have like filters or like conditions, let's say, to get something, to add something, for example, variable or not.
(37:56):
The database of conditions or sense gets always updated by Steam, so it might be fine. And it's similar to one tool, I'm not sure, nuclei or something like that.
It's similar to nuclei, yeah, it's very popular.
(38:18):
Yeah, I guess.
Okay. So how much do you work? Because from this podcast, we know that you usually hunt for a few days, then when you find a valid bug, you like to chill out for some time. So what do you do in this chill out time?
So chill out time, so it would be like, I travel, I'll, my chill out time also can be reading books, learning, so I try to learn more about like hacking or even other fields like AI or blockchain. So it would be my chill out time.
(38:59):
Also, I just go out, yeah. But it's not always the case. Because sometimes I'll have, for example, maintenance jobs, they have a fixed time lapse. So I'll work on that.
(39:29):
Okay. And after such a chill time, what gives you the motivation to come back to hunting again?
It's on the rock. No, like, I'm not sure, like, I just feel about hacking, or maybe I learned something, I read something new in a book or something and it encourages me to like go that step and make profits.
(40:03):
Okay, okay, I understand. And you prefer to work from the office than from home, as we've talked about previously. What are the other productivity things that you do to just be more effective at your work?
(40:25):
Yes, I have a clean setup and I have multiple monitors, like each monitor is for a task, let's say. Also, I encourage to have like lights, a lot of light in the room, to have a green area, like a plant or something.
(40:50):
Yeah, sometimes I'll just have TV open, just to have an accompaniment, let's say. Yeah, in that sense.
And when is your hunt?
I said I consume a lot of coffee.
(41:14):
That's of course. And when is your hunting day? How does this day look like? What time do you get up? What time do you start working? Do you have any other habits that you like to do?
So, before, when I didn't have the company, it was like random. I can, for example, stay for 14 hours. I can stay up all night and sleep all day.
(41:50):
But now, since I have this, like I have work hours, let's say, I try to, for example, wake up at 7 or 6 and work for 8 or 9 hours.
Okay. And do you have some structured approach to taking breaks in the middle of the day or do you just go with the gut feeling?
(42:24):
Yeah, I actually have a lot of breaks. Like, if I feel I finished a task, I finish it, like something, like I made progress, I just take a break, like 15 minutes break.
If I reach something bigger, I take 30 minutes. It's like motivation thing to get done to have a break.
(42:57):
Okay, I understand. Let's now switch gears a little bit. There is a topic so hot that we can't just not talk about it. Of course, it's the AI.
What uses of AI did you try? How did you try to make AI help you at your job?
(43:19):
So, as I said, I guess most of my work is manual, but of course, if I can get free second hand, I would use it. So, AI, I use it for specific search in certain databases.
(43:44):
For example, I refer Google as a database. So, if I take, if Shadgy can analyze, for example, the code and decide what things to search for to get this, for example, exploitable.
For example, if I find in one JavaScript file, I don't have an example now, but it would make very specific search in free archive.org, Google, other databases and get me the response without really like analyzing the code
(44:30):
and finding that interesting line. So, that's at the moment the only thing that I use. So, in the future, I guess it's possible to do make the Shadgy BT, at least for me, not complex ones,
because I had like, I made an experience and with a friend and they asked about it in an interview. And yes, it was in GD. So, I tested Shadgy BT to find the bag that I found.
(45:11):
So, it wasn't able to find it. And even though that Shadgy BT maybe was trained based on my article, even though that's the case, it wasn't able to find it.
So, I guess it won't be like helpful to get complex bags found, but to get multiple weaknesses that could, that would mean that you may be able to analyze and there may be shade to get a big impact.
(45:50):
Do you think in the future AI will be able to take a job of Pentesters or bug bounty hunters?
I think, I'd say 60% of bug bounty can be done by an AI. Like the 60% work of current bug bounty hunters can be done.
(46:20):
That's why I encourage bug bounty hunters to always find a special talent or something very specific to you and learn more about it, learn all the complexity behind it.
Because that won't be an easy task for an AI, for any AI.
(46:45):
Yeah, that's a great tip. I think for anyone who now wants to learn something, the thought process should involve, can AI replace me doing this in some time in the future?
Or is this a unique skill, which at least for upcoming years, AI won't be able to do and looking at security, AI may find simple bugs, but I don't see in upcoming years that it will be able to understand the complex, multi-component infrastructure, all the microservices, different contexts, it's just too complex.
(47:34):
So I think if we can find bugs like this, then we are secure.
How about...
Go ahead.
Okay, so it's like, I guess, even currently, since ShadGBT for example is not operating by itself, so when API is available I guess, so you can, bug bounty hunters can do, I guess they can do some jobs with ShadGBT or find bugs in ShadGBT at least.
(48:16):
It's only about the way you do it, since it doesn't have an internet access, so you have to give clues, you have to, of course, describe the behavior of the application.
Also, yeah, do you encourage like people or hunters to use AI?
(48:41):
I try to use AI in my job, but so far, most of the uses when I see it's useful is more in the content creation side than actually when hacking.
When hacking, so far, the good use of ShadGBT is to generate a template.
(49:11):
This is maybe more for CTFs, when you need, I don't know, a Python script to send a payload over web sockets.
With Google it will take you at least a few minutes to find out the fellow word, modify it and so on, and for things like that ShadGBT is awesome because it really generates something that can be a base of your exploits.
(49:36):
So this is, for me so far, it's the only real good use of AI in my security work.
Yeah, nice. Yes, it's a good way to use it.
Yeah, I also saw it's integrated now in Semgrep for verifying if, Semgrep is a source code scanner and they integrated it to verify if the finding is a false positive or not.
(50:04):
So it takes the alert from Semgrep and takes the context of the code and says if it's good or not. I haven't tested it, but I think it makes sense and it's a very good context for AI.
So let's see how it works.
Yeah.
Another sort of new, although now with the AI hype a bit forgotten trend is the web-free and blockchain. Did you do any hacking of web-free apps?
(50:36):
To be honest, I'm still studying the technology. I know it's like a new technology, it's very old, but I didn't have the time to switch from web2 to web3 hacking.
It's the same concept and maybe it would work best for me because I like code review and it would be a good way to analyze smart contracts and everything.
(51:08):
But yeah, however, I had some bad reviews from other hackers that tested web-free applications.
Sometimes they won't get paid as much as they promised, like as the program promised. Sometimes they get paid after six months or a year.
(51:38):
And for me it's a critical thing, like the timing of the payout.
But I guess I'll try it.
Yeah, I noticed over the course of this podcast that for you the quick feedback loop of getting a payout is very important.
(52:00):
And I saw in some of the bugs I covered on my channel with web-free, the bounty was paid out over a year.
So in the write-up it was written that the bounty is 1 million that's paid over a year. So it's like someone with a reverse credit.
(52:22):
So you get the bounty paid over a year. I don't know exactly how it works, but I don't think in web2 bounties we saw anything like this.
Yeah, I see.
I mean, exactly the same boat as you. I also like to review the code and understand the code.
(52:45):
And I felt like smart contracts should be something for me because of this, because there you always can access the code, at least the compiled one.
And yet I still didn't use it and I still didn't transfer. I did some learning, but not enough to find real-world bugs with it.
Yeah, also the bugs are very limited. Like if you want to make a full switch from web2 to web3 bug bounty hunting, you'll have to find reliable programs.
(53:21):
I can think about, let's say, it's like 50 programs would be competing with other hackers, of course, and especially black hat hackers, which I guess have more experience than some.
So it can't be easy. Bugs would be really limited, but the layout is huge.
(53:48):
Yeah, so if you can work with these things, you can choose web3.
Yeah, so coming back to the regular backhanding of yours. Last, I think, three years you were top one on the leaderboard of Facebook, but you tweeted that this year you will not be on the Hall of Fame of Facebook.
(54:20):
What is this about?
Moving on, like I said at the beginning, I was happy with Facebook and I stayed working with Facebook because they had the best payouts and they had the best report to bounty type. Now they don't have that.
(54:49):
Many headrun programs have bigger bounties than Facebook. Also, it happened to me that I would wait six months for the report to get resolved and get inbate.
So that doesn't work for me and that's why I switched. So I still didn't fully start with the hacker one, but that's the plan for now, to focus on headrun programs and finish with Facebook.
(55:28):
Okay, that's a big loss for Facebook right there. Apart from waiting for payouts, what are the things you don't like about Bad Bounty?
Yeah, so I guess with Bad Bounty, sometimes I feel it's not like a good relationship with the hacker and the company. Most of the time you have a third party in the middle, which is the triager, which is employed by a third party.
(56:10):
Or by the platform, a hacking platform. So you can't have a direct relationship with the company. Sometimes the problem would be in the triager, then understand it wrongly and he or she won't follow it to the company, for example.
(56:32):
Sometimes if you have a relationship with the company, they know about little details, for example, from previous reports or from previous work that you did with them.
And they understand that the report is critical and need to get triaged immediately. With the triager, it's not the case. Facebook actually worked on this, even though triagers are employed by Facebook.
(57:05):
But for example, for some people, for example, like me, they'll have a single triager assigned to me, for example, and I can ask them or contact them about, like, for example, I get the report triaged in one day.
(57:28):
That helps a lot to make the process fast. I guess that with hunters, the main issue is time and understanding of the weakness.
Of course, I can blame the hacking platforms or the companies. They need to filter a lot. So I guess it's on us to try to learn as much as possible and not to try to spam these companies and these triagers.
(58:06):
Let's assume I am a CEO of HackerOne or a big bug bounty platform. And I ask you, Yousef, we want to make our platform better for hackers. What are the things you would recommend me to change?
(58:29):
So with HackerOne, I guess it's, yeah, they did a lot. I won't say they're perfect, but they did. They had a lot of ideas. They applied them. The only issue that I can see is sometimes the misunderstanding of the triager.
For example, the item that should be correct, for example, sometimes they'll peer a report and duplicate to another report which is not related.
(59:04):
For example, it can't be the same issue and they'll find like common keywords and the common words in both reports and just click them. So I think that's the current problem with HackerOne.
I won't say they have one job and they have a problem in it, but if they work more on the triaging process, it would be great. Also, I don't blame them.
(59:36):
I mean, imagine receiving a thousand reports, I'm not sure, per week or per day and only 10 are valid. So it's stressful.
Yeah, it's really hard. I also had similar problems. A few months ago, I had a situation where I would report a bug. It was like a cross-site leaks.
(01:00:06):
So a bug really not easy to reproduce. It was time-based. So it was like the worst version, but I had no change, so I reported it. And the triager couldn't make it work.
And after like a few going back and forth, I'm just okay. It's a low payout, so I'm just leaving it as it is.
(01:00:27):
And then I had another bug mishandled by the same triager. So I asked the program if another report that was already triaged, maybe even fixed.
I asked them that this triager is not really handling the reports well and things like that. And they actually triaged both my other reports immediately.
(01:00:52):
And it showed me that talking with the program owners or the program maintainers or whatever is completely different than talking with the triager.
So I definitely hear what you say. And on the other hand, also from HackerOne point of view, there are so many hackers that I think it's a reasonable business decision for them to just prioritize their relationship with the clients rather than prioritize hackers, which is bad for us.
(01:01:27):
But I think it's the sad truth.
I guess that's true too. Like always, the client is right, I guess. And when I understand that too, because they get paid from the client, they're not getting bad from us, for example, for having us in contact with the program.
(01:01:53):
So I guess for that, they have to maintain a relationship with the clients. And a few of us could have bad reports, but in general, for example, you'll have, like, on average, you'll have a good experience with that program.
(01:02:15):
Like some of us would take the fall, let's say.
By the way, you said you had an assigned triager in Facebook. After how many reports did they assign a triager to you?
(01:02:36):
Yeah, so it's not assigned. It's not like a triager only works for my reports. But at certain points, I always have the same triager for any report.
So for example, yeah, it happened like, I guess, two years ago, or like for anyone in the diamond league, they'll have someone that only focusing on that person.
(01:03:10):
And it's good to have the researchers have a certain style or a certain history of reporting certain bad. It's better to have only one person that would understand the exploit code.
(01:03:32):
Yeah.
For those listeners who don't know that Facebook has a ranking system based on your performance in last year, and the diamond league is like the highest tier of this ranking. This is what Yusuf mentioned here.
Okay, finally, what are you looking forward to achieve in 2023?
(01:04:01):
Okay, of course, I need to make more money, similar as last year or more. Yeah, I guess for this year, I tried to switch fields, not in the security field, but I'm trying to focus on mobile security.
(01:04:24):
And yeah, at least for example, account takeovers via mobile, I guess nowadays, it's rare to find one and try to focus on that, like mobile security in general.
And it's possible to make the same amount that I made last year, but only focusing on mobile security, it wouldn't be a great achievement for me.
(01:04:59):
Of course, not with Facebook, but other programs.
Awesome, that's awesome. I wish you lots of luck with this. Thank you so much for joining me today. It has been a goldmine of tips for me and for my viewers as well. If they want to follow you, where can they find you?
(01:05:26):
So yeah, thank you for having me. It was a nice interview, I guess. And if you want to follow me, you can find me on Twitter. Like my handle is SAWN0UDA. And yeah, I am available on Twitter.
(01:05:51):
Awesome, we'll of course link this in the description.
What an amazing interview.
Myself, I have lots of takeaways,and I hope you do too.
In fact,if you do, let me know by leaving a like
if you're watching this on YouTube,or a review, if you're listening to it
(01:06:12):
on Apple Podcasts, Spotifyor another podcasting app.
And if you want to hear another interviewwith a hunter
that likes to go deep into the applicationlisten to this one
that's on your screen right nowwith Johan Carlsson,
who has incredible successin his first year of bug bounty.
(01:06:33):
For now,thank you for listening and goodbye!
Getting to Facebook bug bountyleaderboard is a great achievement.
Being the top one is insane.
But today, I'm interviewing the hunter,who has been to one for three
consecutive years there and has foundmultiple account takeovers on Facebook.
He's one of the million dollar hackersand his name is Youssef Sammouda.
(00:23):
Enjoy the interview!
Hello Youssef, thank you so much for joining me today.
First, for those of you who somehow don't know you, could you tell us a few words about yourself?
Hello Greg, thanks for the invitation.
So my name is Youssef Sammouda, I'm 24 years old and I'm from Tunisia.
(00:46):
I started hacking when I was 13 or 14 years old and it's been a long journey.
So now I do mainly bug bounty hunting and penetration testing for some firms and that's it.
(01:09):
How did it start? What did you hack when you were 14 years old?
So when I was 14 years old, it was like, I'm not sure, I started nerfing first, like a bunch of few abilities, and with abilities.
(01:33):
At that time, PHP was the main programming language used for web development and I started to ban PHP.
After that, I kind of teach myself a few things, like I noticed when I was developing web applications.
(01:59):
For example, sometimes I noticed that I can bypass or gain permissions to a few things that I shouldn't have permission to access.
And from that point on, I started to access forums, like it was RTC forums, I guess, RTC or something like that.
(02:29):
After that, when I was 16 or 17, I started doing bug bounty, 3 or 4 years after learning about web bans and web learning.
What bug bounty programs did you start with?
I started with the Facebook bug bounty program.
(02:53):
We'll skip to Facebook in a second, because there's a lot we can talk about Facebook.
But before we go there, so I believe you have to call yourself self-taught, but as from what I know, you did go to university.
(03:17):
Yes, so when I went to university, I went to Canada, studying in Canada to have a computer science degree.
I studied for 3 months or 4 months and I stopped. I found out that I knew everything I was learning in the university.
(03:41):
So I stopped. At that time, it happened that HackerOne had a live hunting event and I made there like $100,000 in one day.
So that changed my mind to go to a lot of universities.
(04:04):
So I started and focused mainly on bug bounty hunting.
So you made $100,000 of bounties in one day. Before this day, approximately, more or less, how much did you make in all the previous years?
At that point, I was doing very well with Facebook, so that's why I got invited to this HackerOne event.
(04:34):
So I guess I made before that, higher than $50,000 or $200,000 for a period of like 2 years.
Okay, so it was really, let's say, maybe not life-changing, but a lot of money compared to in 2 years you made $150,000 or $200,000.
(04:58):
And then all of a sudden you get $100,000 in one day. I'm not at all surprised you decided to drop out of university.
Did you then start hacking full-time or did you still have another job?
Yeah, so after that event, I'm not feeling ashamed of the university, I started mainly doing bug bounty hunting.
(05:23):
I did some penetration testing jobs. It was for like 1 month or 2 months, but mainly it was bug bounty hunting.
And mainly with Facebook program.
Okay, so why did you choose Facebook?
So at that time, starting from 2017 up to I guess last year, it was, to my point of view, from my point of view, it was the best program.
(05:56):
Because I was getting paid more than the other programs.
It made, for example, an average of $40,000 per month.
And I was getting paid like in 3 weeks from reporting the bug.
(06:18):
So that was the best, like the ideal environment for me.
I tried other programs, sometimes I'll get paid well, but after 3 or 4 months.
And sometimes I'll get paid instantly, but the bounty would be less than expected.
(06:40):
Yeah, I saw a lot of your blog posts and it's absolutely amazing how consistently can you get those payouts around the $50,000 mark.
When you decide you want to hack, how do you choose your target?
Yeah, so first of all, the target should be in Facebook, the Facebook ecosystem or the Facebook company now named Meta.
(07:10):
So I chose, for example, I have a few scripts that I made before that would look for inside JavaScript files in each website.
For example, Facebook business, Facebook main website, Facebook store, for example, and Instagram, all of them.
(07:31):
And it would, for example, each day try to find changes in these JavaScript files and if these script files are critical change or a few lines or new JavaScript files were created that may contain something special.
(07:52):
It depends on the filter and the classifier for this case. It would give me a notification on that try and start to manually test it.
I actually thought about doing something like this a long time ago and I've never finally did it. Is this script complex? Because I guess JavaScript files change very often and a lot of times it's not a change that's interesting to us.
(08:25):
Yeah, it's like, of course, the change should be more than two letters, for example. It's obvious maybe they just changed the variable name.
So it has to be, for example, a new line or two lines and with Facebook they developed using React.
(08:46):
So it's like modules. I can, for example, extract the module's name and try to detect new modules added.
And after that from the module name I can, for example, get a hint what this might be.
For example, they have if the module is for client side communication with the backend for Ajax, for example, or Hadoop.
(09:18):
They'll have a certain word in the module name. So, for example, I'd focus on that. Sometimes I will ignore other things like CSS, like things related to graphics.
So I guess it's more specific to the target. You can pull it, you can find hints in other targets and build your script using that information.
(09:47):
So when you see a change in JavaScript, what tools do you use to deobfuscate the JavaScript to understand the JavaScript if you use any tools apart from the browser?
Actually, I use like, there are many Klib based tools like the GS Beautifier or GS Beautify, I guess. So this one I would just try to like add tabs, add spaces and make it readable.
(10:24):
But the actual obfuscation with time I just got used to reading the script very fast. So if you get used to reading variables named as A, B, C, D instead of their real names, it's starting to become very easy.
(10:46):
And do you often use the browser debugger to understand the code or you just don't need it?
I use it like mainly for when I try to drag something in the JavaScript execution. So I try to make breakpoint and after that find the next function and after that until I reach one point where, for example, I'm looking for a symbol or I'm looking for a source or an instance or another.
(11:24):
So I use it, actually I only use three tools. I use the browser and the MIRB suite. So I use those two.
(11:45):
Do you use any extensions in MIRB?
Actually, no, I don't like. I use, for example, a tool called Metamproxy. So it's similar to BIRB, but you have more freedom to write scripts and everything. It doesn't have a graphical interface, a GUI.
(12:11):
So I have it in the middle, this proxy, Metamproxy in the middle and it will forward a request to PIR so I can see the history and everything.
And in the middle, in Metamproxy, I'll program scripts with Python that would do some similar things to BIRB. Just I'll have more freedom. Like, for example, I'm not sure if this is possible in BIRB.
(12:42):
This script would be like instantly monitoring any requests, like in the background, all this stuff.
So in the same type, I want to extract secrets from the requests.
(13:06):
I don't understand, what's that?
Like the Python script, what this Python script would be extracting from those requests or responses?
Yeah, so for example, if I'm looking for, if I have a specific, for example, like a BIRB suite extension that would, for example, for B64 decoded strings and try to decode them and try to find out what's coded or what's inside.
(13:41):
So I'll have a script like that doing it in the JavaScript instantly and it would be saving anything.
For example, in the folder, I'll have another script looking for, I'm not sure, like if I have, I'll have like scripts that are in the middle, like between the browser when I browse their work.
(14:10):
And then have other scripts that do their jobs in the background, like they'll try to scrape the website and look for certain, like inject, for example, XSS payloads and see the response.
A few things like this, but it would get like, for example, the endpoint, the website, everything from the browser or from the browsing history.
(14:45):
Okay, okay, I understand.
And do you have a favorite vulnerability class?
Yeah, it's actually a vulnerability, but an impact, I love account takeovers.
So I actually like GlideSite more than server-side because I enjoy reviewing codes and for an application like Facebook, the only port available would be the GlideSite code, the JavaScript code.
(15:19):
So I enjoy like testing these codes.
I enjoy testing the browsers where this code is getting executed and usually I'll find bugs in the browser or bugs in the files themselves.
Yeah, so I'll get that category like browser-based bugs or XSS, more specifically, I like that.
(15:51):
Yeah, I could definitely foresee this based on the write-ups on your blog with a few of them covered already on my channel.
And what do you think you do differently from other hunters that you have extraordinary results and other hackers don't?
(16:13):
Yeah, so we talked about what's the, so if you have the perfect, like strategy, you'll get the files that you need to manually like test or manually review.
(16:34):
So at that point, you have that will be at the same level.
After that, it depends on the knowledge of JavaScript, knowledge of the browsers, security policies, everything.
So relations between a few features.
(16:55):
So it's mainly knowledge of the JavaScript, how JavaScript works and how browser works.
So you can detect if something's wrong, you'll easily detect it.
And one more thing, like for me, I tried to, if I found something like a weakness, but it's not very critical, it can be used and try to save it.
(17:22):
So for later, for example, it doesn't have any impact, but I tried to save it there.
And if I find, for example, another weakness that can be leaked with that one, I'd come back and change them together.
So that's a good thing you can do, especially in browsers, in 9-Cycle, because you can have like relations between two windows.
(17:49):
You can have iframe, you have relation, parent relation, so you can do a lot of things.
What do you use to keep those notes?
Like, I don't know, Gedi, I guess. Like any text editor in Linux or Windows.
(18:12):
Okay, just simple solution.
Yes.
Okay. And also by looking on your blog, there are a lot of those XSS or account takeovers that have a words of usually at least 40k, I think.
(18:35):
Are there many bugs with lower severity and lower bounties that you just don't write about?
What's the question? Like, why I only focus on big bounties or big impact bugs?
The question is, do you find low impact bugs and not write them on your blog or do you not find low impact bugs?
(18:58):
So in the first 3 or 4 years, I used to report medium impact or not very low, but medium, like the bounty would be around 4 to 5k.
I stopped after that because like most of the time these issues take a long time to fix, so I wait for 3 months to get, for example, 5 or 4k.
(19:28):
And personally, I like to enjoy my work, so when I get paid, I can get motivated to work more. So I'll just be waiting for that bounty to come so I can test again.
So I stopped doing low or medium severity lags and I only focus on big ones.
(19:58):
Okay, that's very interesting. Like for a lot of people, a payout of 4, 5, 6k is a lot and I guess for you it works better to wait for the big one.
This will be a super hard question to answer, but how long do you stay on one functionality until you move on?
(20:20):
Okay, so for the scripts I have, I get a big red notification that this is interesting and I just spend like 3 to 4 days examining everything, trying to attack it from different angles with different tools.
(20:43):
Not tools, like with different attacks. And yeah, after 4 days I just move on. As I said, I try to save the little weaknesses that I can't currently exploit, but I save them for later.
Okay, and how often can you find a bug?
(21:13):
I guess I'll try it, because I'm not very productive I guess. I like to have a balance of 50% work, 50% personal life. I'll have like 80% personal life and 20% work.
(21:38):
So I don't do a lot of work. So it would be for example, I hunt for 2 weeks, I have a confirmation that I reported a valid ATO or a valid critical bug and I'll be testing again after 2 months for example.
(21:59):
Yeah, so it's for example, yeah. And sometimes I'll have like a crazy month where I'm bored and I like to work very hard. So I'll report 4 or 5 ATOs in one month. It happened last year.
(22:24):
Oh wow. All of them valid ATOs on Facebook in one month?
Yeah, I guess it was 4 I guess.
That's crazy. And how does the preparation for the live hacking event look like?
(22:45):
So live hacking events, I'm not like very focused on, I wasn't very focused on HackerOne. Like now I plan to engage more with HackerOne for a bad breath.
But when I was invited, I'll just be familiar like about the target. It won't be familiar like Facebook. So I try to use the same techniques.
(23:19):
And for example, in the last hacking event it worked. But the problem with reporting to another company or target that doesn't know you or your work, it's hard to see the impact of the event.
(23:40):
For example, if I report the Pentax ATOs that I usually report to Facebook, if I report the same back to for example, AmateurZoom for example, they won't have like the same response as Facebook.
(24:02):
They'll be like slow, this is a blind side back. We want our user base won't be infected for example.
Didn't happen with Zoom but I just named one target. So Facebook cares about its client base. The others like it's not that much.
(24:26):
And that's why for example, Simon will pay $500 for XSS that would lead to a can't take off.
I completely understand. Also regarding your hacking style, it seems like you are much more based on understanding what happens, understanding flow and the JavaScript. Do you often brute force or fuzz anything?
(25:00):
Yeah, so if it's one thing about finding like you can find the null bag in JavaScript or a chain of bags, but they explode to write to achieve an attack.
Sometimes it requires brute force for example, but I use brute force with other things. Sometimes for example, I use it to extract data from the server.
(25:30):
For example, if I'm looking for client side bugs, but sometimes you need to access JavaScript files that are not available to you. For example, I need to get JavaScript files in an admin dashboard, but I don't have access to the admin dashboard.
(25:52):
Okay, so I'm trying to, for example, find the CDN that serves JavaScript files and try to brute force a few things. And that would make me download the JavaScript files of the admin dashboard.
From there, I can, for example, prepare an XSS attack, even though I don't have access to the dashboard to test it. I will, for example, find a DOM XSS in the JavaScript file and I know it's loading when slash admin is accessed.
(26:27):
So I can have an attack. Also, for example, I try to extract int pints from these JavaScript files and prepare for server side attacks like IDORS or anything.
Okay, well, these are crazy, crazy sounding attacks. And also, probably there is someone who listens to this podcast who thinks I am also monitoring JavaScript files for changes.
(27:06):
I'm also focusing on client side bugs. I like account takeovers, but I don't have as good results as Józef does. What is your advice to this person? What likely they are doing wrong that they just don't have as great results as you do?
So I would advise to read more about JavaScript, like web docs about JavaScript, spec about JavaScript, especially features in the browsers. Read more about browsers, features and security policies and everything.
(27:49):
Like when you read everything, why this header is present in the request, why this header is present in the response. When it's missing, you notice that and you can notice this weakness and you can link it with other weaknesses to achieve, to have a full working attack or bug.
(28:13):
So I think in the last three years, browsers added a lot of security features. So sometimes people would read the blog, how to, for example, exploit a CSR attack.
They find vulnerable CSR endpoint and everything, and they wonder why it's not working. Sometimes you have like security policies or security features added and the browser would protect against CSR even if it's present.
(28:53):
So they just try and waste time. And if they know new about, for example, an attribute in a cookie or a header, they immediately know that the attack won't work.
So I guess that's the problem, lack of knowledge and specifics in JavaScript and browsers in general.
(29:22):
Ok, and when you want to learn something new, let's assume you know nothing about OAuth, about the protocol itself and you want to learn it. How would you do this? Would you set up your own servers to understand the flows or you just hack?
(29:44):
No, I try to understand, of course, the protocol, how the protocol works. So first thing would do to have like test environment set up. After that, I try to each time have a configuration.
(30:06):
Another configuration than the previous one, for example, for OAuth, I try to have four or five types of OAuth communications type, for example, or exchange type.
And I try to test them all. After that, in the meanwhile, I need to read the spec of OAuth. So I try to read the spec of OAuth, what's recommended by the spec writers, what's recommended, what's enforced by the spec writers.
(30:46):
And yeah, after that, I prepare, for example, I prepare Facebook OAuth and see if they apply the same specs mentioned in the specs.
So if they do it, they do it in the right way and I won't find a bad, if they do it wrong way, like I know and I can explain that.
(31:16):
Also, I try to, for example, sometimes the spec has a fault or is wrong. So sometimes the spec has weakness. So I try to exploit that and report it, for example, to a big company like Facebook.
(31:39):
I get paid even though Facebook is not faulty here because it followed the spec, but I try to get a bounty out of it. And after that, I report to the, for example, the spec writers or to the net bros.
And when you have a specification in front of you, which usually is a huge document, what do you pay special attention to?
(32:11):
Inputs, of course, like user or the inputs that can be controlled by me or, for example, the redirect URI in OAuth. I uncheck, for example, the checks made to that redirect URI to verify it's a valid one.
Yeah, so I focus on that and focus, for example, response type. If it's possible to have in a certain exchange tied with OAuth to have both token and the code.
(32:48):
And if that's possible, can I leak the code or token to, for example, answer open redirects. So I focus on things that I can't control, I can't change in the Nandtech.
Few other things like dark constants or won't have the Nandtechs, I won't read them.
(33:13):
Okay. Do you use any websites with labs like Pentester lab or Hack the Box or maybe do you play any CTFs?
Actually, no, but for example, I read a lot of white papers. I read a lot of write-ups and especially like the new research.
(33:43):
And after I do that, the research, I try to do like a home lab where I can test how to exploit this pen. I have like different levels of difficulties, different cases and try to exploit them.
(34:04):
Oh, wow. I believe those labs are golden, somewhere on your computer.
You can do labs too, like I get two lines are better than one. So if the lab, the one week of the thought about a trick that you do the same code, it's better also to do labs. I encourage people to do labs, but for me, it's about time.
(34:34):
I don't have much time to do that.
Okay. What programming language do you use to create those labs?
So I'm old school, so I use PHP, but I try to, because I have maximum control of the web application, but now I do both JavaScript in the back here and sometimes when I'm testing, I'm testing back there in the front end.
(35:09):
So it became more easier to program.
Okay. You now, you are not a full-time backbound hatter, you also work employed, is this correct?
I'm employed, so I have a company, so I don't from now on, let's say I don't operate as a person, but as a company, so I do my backbound hunting as a company, I do penetration testing jobs as a company.
(35:45):
So it's similar to a full-time backbound hunter, but I operate as a company.
Okay. So you also do pen tests, sort of like a freelancer.
No, because I can have a contract with the company, I do it myself, I have a few people that I know that would help me sometimes, so I outsource some things. I have an employee, so I can also ask them to work on that.
(36:21):
Okay, I understand. And how is your hacking style different when you do pen tests versus when you do backbound t?
So with pen tests, the big privilege is sometimes I have the source code, it would be for example white box testing or gray box testing. That's perfect for me because I like code review, I'm very good at good code review, even for the backend.
(36:58):
So that's a big plus for me. It's easier. Also, I'll try to have like, I'll have like my passive or analysis tool or static analysis tools that I can use directly, so it can make my work easier.
(37:22):
What tools do you use for this?
No, I have my own tools that I use. It's not special, but I have for example, I have like filters or like conditions, let's say, to get something, to add something, for example, variable or not.
(37:56):
The database of conditions or sense gets always updated by Steam, so it might be fine. And it's similar to one tool, I'm not sure, nuclei or something like that.
It's similar to nuclei, yeah, it's very popular.
(38:18):
Yeah, I guess.
Okay. So how much do you work? Because from this podcast, we know that you usually hunt for a few days, then when you find a valid bug, you like to chill out for some time. So what do you do in this chill out time?
So chill out time, so it would be like, I travel, I'll, my chill out time also can be reading books, learning, so I try to learn more about like hacking or even other fields like AI or blockchain. So it would be my chill out time.
(38:59):
Also, I just go out, yeah. But it's not always the case. Because sometimes I'll have, for example, maintenance jobs, they have a fixed time lapse. So I'll work on that.
(39:29):
Okay. And after such a chill time, what gives you the motivation to come back to hunting again?
It's on the rock. No, like, I'm not sure, like, I just feel about hacking, or maybe I learned something, I read something new in a book or something and it encourages me to like go that step and make profits.
(40:03):
Okay, okay, I understand. And you prefer to work from the office than from home, as we've talked about previously. What are the other productivity things that you do to just be more effective at your work?
(40:25):
Yes, I have a clean setup and I have multiple monitors, like each monitor is for a task, let's say. Also, I encourage to have like lights, a lot of light in the room, to have a green area, like a plant or something.
(40:50):
Yeah, sometimes I'll just have TV open, just to have an accompaniment, let's say. Yeah, in that sense.
And when is your hunt?
I said I consume a lot of coffee.
(41:14):
That's of course. And when is your hunting day? How does this day look like? What time do you get up? What time do you start working? Do you have any other habits that you like to do?
So, before, when I didn't have the company, it was like random. I can, for example, stay for 14 hours. I can stay up all night and sleep all day.
(41:50):
But now, since I have this, like I have work hours, let's say, I try to, for example, wake up at 7 or 6 and work for 8 or 9 hours.
Okay. And do you have some structured approach to taking breaks in the middle of the day or do you just go with the gut feeling?
(42:24):
Yeah, I actually have a lot of breaks. Like, if I feel I finished a task, I finish it, like something, like I made progress, I just take a break, like 15 minutes break.
If I reach something bigger, I take 30 minutes. It's like motivation thing to get done to have a break.
(42:57):
Okay, I understand. Let's now switch gears a little bit. There is a topic so hot that we can't just not talk about it. Of course, it's the AI.
What uses of AI did you try? How did you try to make AI help you at your job?
(43:19):
So, as I said, I guess most of my work is manual, but of course, if I can get free second hand, I would use it. So, AI, I use it for specific search in certain databases.
(43:44):
For example, I refer Google as a database. So, if I take, if Shadgy can analyze, for example, the code and decide what things to search for to get this, for example, exploitable.
For example, if I find in one JavaScript file, I don't have an example now, but it would make very specific search in free archive.org, Google, other databases and get me the response without really like analyzing the code
(44:30):
and finding that interesting line. So, that's at the moment the only thing that I use. So, in the future, I guess it's possible to do make the Shadgy BT, at least for me, not complex ones,
because I had like, I made an experience and with a friend and they asked about it in an interview. And yes, it was in GD. So, I tested Shadgy BT to find the bag that I found.
(45:11):
So, it wasn't able to find it. And even though that Shadgy BT maybe was trained based on my article, even though that's the case, it wasn't able to find it.
So, I guess it won't be like helpful to get complex bags found, but to get multiple weaknesses that could, that would mean that you may be able to analyze and there may be shade to get a big impact.
(45:50):
Do you think in the future AI will be able to take a job of Pentesters or bug bounty hunters?
I think, I'd say 60% of bug bounty can be done by an AI. Like the 60% work of current bug bounty hunters can be done.
(46:20):
That's why I encourage bug bounty hunters to always find a special talent or something very specific to you and learn more about it, learn all the complexity behind it.
Because that won't be an easy task for an AI, for any AI.
(46:45):
Yeah, that's a great tip. I think for anyone who now wants to learn something, the thought process should involve, can AI replace me doing this in some time in the future?
Or is this a unique skill, which at least for upcoming years, AI won't be able to do and looking at security, AI may find simple bugs, but I don't see in upcoming years that it will be able to understand the complex, multi-component infrastructure, all the microservices, different contexts, it's just too complex.
(47:34):
So I think if we can find bugs like this, then we are secure.
How about...
Go ahead.
Okay, so it's like, I guess, even currently, since ShadGBT for example is not operating by itself, so when API is available I guess, so you can, bug bounty hunters can do, I guess they can do some jobs with ShadGBT or find bugs in ShadGBT at least.
(48:16):
It's only about the way you do it, since it doesn't have an internet access, so you have to give clues, you have to, of course, describe the behavior of the application.
Also, yeah, do you encourage like people or hunters to use AI?
(48:41):
I try to use AI in my job, but so far, most of the uses when I see it's useful is more in the content creation side than actually when hacking.
When hacking, so far, the good use of ShadGBT is to generate a template.
(49:11):
This is maybe more for CTFs, when you need, I don't know, a Python script to send a payload over web sockets.
With Google it will take you at least a few minutes to find out the fellow word, modify it and so on, and for things like that ShadGBT is awesome because it really generates something that can be a base of your exploits.
(49:36):
So this is, for me so far, it's the only real good use of AI in my security work.
Yeah, nice. Yes, it's a good way to use it.
Yeah, I also saw it's integrated now in Semgrep for verifying if, Semgrep is a source code scanner and they integrated it to verify if the finding is a false positive or not.
(50:04):
So it takes the alert from Semgrep and takes the context of the code and says if it's good or not. I haven't tested it, but I think it makes sense and it's a very good context for AI.
So let's see how it works.
Yeah.
Another sort of new, although now with the AI hype a bit forgotten trend is the web-free and blockchain. Did you do any hacking of web-free apps?
(50:36):
To be honest, I'm still studying the technology. I know it's like a new technology, it's very old, but I didn't have the time to switch from web2 to web3 hacking.
It's the same concept and maybe it would work best for me because I like code review and it would be a good way to analyze smart contracts and everything.
(51:08):
But yeah, however, I had some bad reviews from other hackers that tested web-free applications.
Sometimes they won't get paid as much as they promised, like as the program promised. Sometimes they get paid after six months or a year.
(51:38):
And for me it's a critical thing, like the timing of the payout.
But I guess I'll try it.
Yeah, I noticed over the course of this podcast that for you the quick feedback loop of getting a payout is very important.
(52:00):
And I saw in some of the bugs I covered on my channel with web-free, the bounty was paid out over a year.
So in the write-up it was written that the bounty is 1 million that's paid over a year. So it's like someone with a reverse credit.
(52:22):
So you get the bounty paid over a year. I don't know exactly how it works, but I don't think in web2 bounties we saw anything like this.
Yeah, I see.
I mean, exactly the same boat as you. I also like to review the code and understand the code.
(52:45):
And I felt like smart contracts should be something for me because of this, because there you always can access the code, at least the compiled one.
And yet I still didn't use it and I still didn't transfer. I did some learning, but not enough to find real-world bugs with it.
Yeah, also the bugs are very limited. Like if you want to make a full switch from web2 to web3 bug bounty hunting, you'll have to find reliable programs.
(53:21):
I can think about, let's say, it's like 50 programs would be competing with other hackers, of course, and especially black hat hackers, which I guess have more experience than some.
So it can't be easy. Bugs would be really limited, but the layout is huge.
(53:48):
Yeah, so if you can work with these things, you can choose web3.
Yeah, so coming back to the regular backhanding of yours. Last, I think, three years you were top one on the leaderboard of Facebook, but you tweeted that this year you will not be on the Hall of Fame of Facebook.
(54:20):
What is this about?
Moving on, like I said at the beginning, I was happy with Facebook and I stayed working with Facebook because they had the best payouts and they had the best report to bounty type. Now they don't have that.
(54:49):
Many headrun programs have bigger bounties than Facebook. Also, it happened to me that I would wait six months for the report to get resolved and get inbate.
So that doesn't work for me and that's why I switched. So I still didn't fully start with the hacker one, but that's the plan for now, to focus on headrun programs and finish with Facebook.
(55:28):
Okay, that's a big loss for Facebook right there. Apart from waiting for payouts, what are the things you don't like about Bad Bounty?
Yeah, so I guess with Bad Bounty, sometimes I feel it's not like a good relationship with the hacker and the company. Most of the time you have a third party in the middle, which is the triager, which is employed by a third party.
(56:10):
Or by the platform, a hacking platform. So you can't have a direct relationship with the company. Sometimes the problem would be in the triager, then understand it wrongly and he or she won't follow it to the company, for example.
(56:32):
Sometimes if you have a relationship with the company, they know about little details, for example, from previous reports or from previous work that you did with them.
And they understand that the report is critical and need to get triaged immediately. With the triager, it's not the case. Facebook actually worked on this, even though triagers are employed by Facebook.
(57:05):
But for example, for some people, for example, like me, they'll have a single triager assigned to me, for example, and I can ask them or contact them about, like, for example, I get the report triaged in one day.
(57:28):
That helps a lot to make the process fast. I guess that with hunters, the main issue is time and understanding of the weakness.
Of course, I can blame the hacking platforms or the companies. They need to filter a lot. So I guess it's on us to try to learn as much as possible and not to try to spam these companies and these triagers.
(58:06):
Let's assume I am a CEO of HackerOne or a big bug bounty platform. And I ask you, Yousef, we want to make our platform better for hackers. What are the things you would recommend me to change?
(58:29):
So with HackerOne, I guess it's, yeah, they did a lot. I won't say they're perfect, but they did. They had a lot of ideas. They applied them. The only issue that I can see is sometimes the misunderstanding of the triager.
For example, the item that should be correct, for example, sometimes they'll peer a report and duplicate to another report which is not related.
(59:04):
For example, it can't be the same issue and they'll find like common keywords and the common words in both reports and just click them. So I think that's the current problem with HackerOne.
I won't say they have one job and they have a problem in it, but if they work more on the triaging process, it would be great. Also, I don't blame them.
(59:36):
I mean, imagine receiving a thousand reports, I'm not sure, per week or per day and only 10 are valid. So it's stressful.
Yeah, it's really hard. I also had similar problems. A few months ago, I had a situation where I would report a bug. It was like a cross-site leaks.
(01:00:06):
So a bug really not easy to reproduce. It was time-based. So it was like the worst version, but I had no change, so I reported it. And the triager couldn't make it work.
And after like a few going back and forth, I'm just okay. It's a low payout, so I'm just leaving it as it is.
(01:00:27):
And then I had another bug mishandled by the same triager. So I asked the program if another report that was already triaged, maybe even fixed.
I asked them that this triager is not really handling the reports well and things like that. And they actually triaged both my other reports immediately.
(01:00:52):
And it showed me that talking with the program owners or the program maintainers or whatever is completely different than talking with the triager.
So I definitely hear what you say. And on the other hand, also from HackerOne point of view, there are so many hackers that I think it's a reasonable business decision for them to just prioritize their relationship with the clients rather than prioritize hackers, which is bad for us.
(01:01:27):
But I think it's the sad truth.
I guess that's true too. Like always, the client is right, I guess. And when I understand that too, because they get paid from the client, they're not getting bad from us, for example, for having us in contact with the program.
(01:01:53):
So I guess for that, they have to maintain a relationship with the clients. And a few of us could have bad reports, but in general, for example, you'll have, like, on average, you'll have a good experience with that program.
(01:02:15):
Like some of us would take the fall, let's say.
By the way, you said you had an assigned triager in Facebook. After how many reports did they assign a triager to you?
(01:02:36):
Yeah, so it's not assigned. It's not like a triager only works for my reports. But at certain points, I always have the same triager for any report.
So for example, yeah, it happened like, I guess, two years ago, or like for anyone in the diamond league, they'll have someone that only focusing on that person.
(01:03:10):
And it's good to have the researchers have a certain style or a certain history of reporting certain bad. It's better to have only one person that would understand the exploit code.
(01:03:32):
Yeah.
For those listeners who don't know that Facebook has a ranking system based on your performance in last year, and the diamond league is like the highest tier of this ranking. This is what Yusuf mentioned here.
Okay, finally, what are you looking forward to achieve in 2023?
(01:04:01):
Okay, of course, I need to make more money, similar as last year or more. Yeah, I guess for this year, I tried to switch fields, not in the security field, but I'm trying to focus on mobile security.
(01:04:24):
And yeah, at least for example, account takeovers via mobile, I guess nowadays, it's rare to find one and try to focus on that, like mobile security in general.
And it's possible to make the same amount that I made last year, but only focusing on mobile security, it wouldn't be a great achievement for me.
(01:04:59):
Of course, not with Facebook, but other programs.
Awesome, that's awesome. I wish you lots of luck with this. Thank you so much for joining me today. It has been a goldmine of tips for me and for my viewers as well. If they want to follow you, where can they find you?
(01:05:26):
So yeah, thank you for having me. It was a nice interview, I guess. And if you want to follow me, you can find me on Twitter. Like my handle is SAWN0UDA. And yeah, I am available on Twitter.
(01:05:51):
Awesome, we'll of course link this in the description.
What an amazing interview.
Myself, I have lots of takeaways,and I hope you do too.
In fact,if you do, let me know by leaving a like
if you're watching this on YouTube,or a review, if you're listening to it
(01:06:12):
on Apple Podcasts, Spotifyor another podcasting app.
And if you want to hear another interviewwith a hunter
that likes to go deep into the applicationlisten to this one
that's on your screen right nowwith Johan Carlsson,
who has incredible successin his first year of bug bounty.
(01:06:33):
For now,thank you for listening and goodbye!
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Ridiculous History
History is beautiful, brutal and, often, ridiculous. Join Ben Bowlin and Noel Brown as they dive into some of the weirdest stories from across the span of human civilization in Ridiculous History, a podcast by iHeartRadio.