Hacken Ecosystem

Not that long ago, HackenProof has held an onsite Bug Bounty Marathon called Hacken Cup and invited a group of 25 talented hackers from all over the world to Ukraine to take part in the hackathon. During the event, we have interviewed many of them including security analyst Yassine Aboukir (@yassineaboukir) about his hacking background, future plans, impressions about Hacken Cup and many other interesting topics.

Can you tell us a little bit more about yourself? How did you start hacking?

Yassine Aboukir: Yassine, originally from Agadir, a city along Morocco’s southern Atlantic coast, and currently based in Lille, France although I have just been traveling around the world this year. I work as a security analyst for HackerOne and participate in bug bounties on the side. I rank 11th on the HackerOne leaderboard and paving my way to the top 10 very soon, hopefully. Regarding how I started out, I wish I can tell you about that clichéd story of me getting hacked or something similar then decided to learn about it. Instead, it was a cousin of mine who introduced me to it at a young age of 14 or 15, and it was a fun and challenging thing to do as a teenager back then. I used to find security flaws in random web applications and products then report them to their respective vendors. However, I did not receive any compensation or recognition in exchange for my efforts and work compared to nowadays. I consider myself lucky to have stumbled upon a news article about HackerOne and how it’s now possible to legally hack companies and get paid for it. I was quite intrigued and immediately signed up on the platform on November 7th, 2013, and that’s how I officially got into bug bounties. Yahoo was my first target back then, and I managed to identify a security vulnerability that earned me my first decent bounty in 2014. The adrenaline rush was real and insane which motivated me to keep digging and hacking on these high-profile companies.

What about hacking appeals to you? What do you like about it?

Yassine Aboukir: Hacking to me is a passion, something I mainly do for fun. It’s like how some people seek their pleasure from playing video games, but mine is from hacking. I particularly like the intellectual challenge that comes along with trying to break something. Understanding its functioning and then figure out ways to break it down. The recognition, as well as financial incentive that bug bounties offer, is very appealing.

Do you have any hacker mentors? Like the guys you really look up to, the guys you learn from.

Yassine Aboukir: Yes, I do. I’ve been to many live hacking events where I have not only met and interacted with numerous astounding hackers but also had the pleasure to collaborate with them and even go on a road trip together (Winking at @0xteknogeek, @smiegles, and @prebenve). I have a bunch of other people that I look up to, mainly hackers contributing to scientific research, the likes of Orange Tsai, file descriptor and Tavis Ormandy to name a few. These are very talented whitehat hackers immensely contributing intellectually to the infosec industry.

You’ve traveled to Ukraine. Have you been to Ukraine before? What can you tell about the country? Is there something that surprised you?

Yassine Aboukir: This is my first time in Eastern Europe. I heard many stereotypes about the country, but I do not believe them and like to see by my own eyes. Ukraine was a pretty exciting destination in a sense that unlike what I expected people were kind and friendly. The buildings’ architecture was beautiful and historical. The weather is good, and the living cost appears to be quite cheap compared to other European countries I visited. My overall experience was excellent and do not see any reason why I wouldn’t come back, especially to pay a visit to Odessa coastal city which everyone is bragging about.

Describe what is a Hacken Cup for you. How’s it been so far?

Yassine Aboukir: As I mentioned before, I’ve been to many live hacking events, and I was quite surprised Hacken Cup turned out to be such a well-organized event. The level of organization is top-notch, and I cherished the lovely welcome from the team getting picked up at the airport and being offered a nice package of swag. That was cool! Also, the targeted companies were good, at least the two I mainly hacked on. The scope was approachable and not very hardened. Company representatives were on-site, and you could chat with them about any concern or question which helped a lot clear some doubts.

Additionally, hackers you invited are great and friendly. We had so much fun together, and I loved that they had a good spirit and sense of humor especially when we were trolling them on the leaderboard (Taxi drivers FTW!). I am glad that I teamed up with two other talented hackers (Cheers to @geekboy and @ehsahil) who literally killed it, so thank you for allowing us that opportunity as it was so much fun.

What is the most interesting bug you’ve found today?

Yassine Aboukir: I have had many creative and cool bugs, however, I personally prefer simple but impactful ones. For the sake of this interview, I’ll just take the example of an Insecure Direct Object References (IDOR) vulnerability that I discovered on a crowdfunding online service as a result of extensive fuzzing of the company’s API until I managed to identify an endpoint that returns any particular user’s payment information including partially masked credit card numbers, PayPal address, billing address, etc. It was as easy as incrementing the ID to gain access to sensitive information of thousands of users. It paid very well!

Can you tell what you like and what you don’t like in general about bug bounty platforms?

Yassine Aboukir: I have much respect for platforms that invest more efforts in converting private programs into public ones. I need more programs to hack on and can’t afford to wait for an occasional invite, and newcomers would also certainly appreciate this point. I also like platforms that make an effort to educate their community of hackers by offering resources and investing money in making online training accessible to them free of charge as well as leveraging the platform features to encourage more sharing and disclosures so that everyone else can learn one or two things from other talented hackers. Features like hackitivity, hacker collaboration, CTFs to name a few are very valuable to us, hackers. That means that we are having our share of attention instead of platforms only focusing on their customer success. You, HackenProof, for instance, seem to have understood this and have built a stable platform with a decent hacktivity among some other features I noticed while using it, but I do believe there are more places to improve.

What are you doing when you’re not hacking? How do you relax?

Yassine Aboukir: When I’m not hacking, you’ll probably spot me skateboarding in the streets or hanging out in the park photographing with my Canon, flying my DJI drone as well. Otherwise, I would chill home and stream some movies and TV series on Netflix. I also travel a lot and have been digital nomading for a while now, so exploring new places meeting new people is also something I enjoy doing.

In your opinion, what is the role of bug bounty platforms in general in converting hackers to the Light Side?

Yassine Aboukir: It is significant. I have done some irresponsible disclosures in the past among other things I am not genuinely proud of, but the emergence of these bug bounty platforms has changed my life downside up. I think these platforms are literally making the internet a safer place and it’s definitely not a cheesy statement, they really do! I personally know a number of people who have done illegal activities in the past and suddenly turned whitehats thanks to bug bounties and these platforms that make it easy and practical to do it. You can literally make a good living out of bug bounties now, and some people are already doing full time as well which is incredibly amazing.

Why have you chosen a white hat hacker path?

Yassine Aboukir: Because I am a good person I guess and I do not want to end up serving time in jail. Honestly, I do not see any other sound alternative and being a whitehat hacker has been a blast so far. You get the chance to legally hack high-profile companies and put your knowledge into practice then get paid for it. Why wouldn’t you go for otherwise? It’s undoubtedly the right career path if you wish to go beyond.

What’s your ultimate goal? What do you want to accomplish in your career? What’s the end game?

Yassine Aboukir: That is a tough question, but I do have a long-term picture in my mind. I have quite a decent professional experience so far being actively involved in the infosec for over 4 years now, but I am still and always learning new things as well as conquering new cybersecurity areas and technologies. I will be sticking to technical positions mainly security engineering in the coming few years. However, the end game is to make my way into an executive position such as a CSO at an organization that I believe in, and ultimately take advantage of my academic business background and technical expertise to solve and remediate cybersecurity problems on a large scale.

What advice would you give to other hackers that are just starting out?

Yassine Aboukir: I would advise them to be more patient and disciplined. I went through the initial frustration when you spend a considerable number of hours on a program and end up not finding anything. I actually still do sometimes as it’s part of the game.

You should leverage all the public online content out there from reading disclosed bug bounty reports and blog posts to reading various hacking books that are valuable such as “The Web Application Hacker’s Handbook” by Dafydd Stuttard and “Web Hacking 101” by Pete Yaworsk.

Playing CTF can be useful as well to learn some techniques that you could leverage during bug hunting. Additionally, make sure to follow all those great hackers on Twitter, and you will be surprised by the content quality they share on a daily basis.

What can be done to improve the bug hunting community?

Yassine Aboukir: The bug bounty community has immensely grown since I first started. The competition is incredibly fierce now, but that does not necessarily mean the community is mature but it does still need more improvement for sure. This can only be achieved through bug bounty platforms joining forces and aiming to educate hackers by creating and releasing more useful content and features such as the few ones I mentioned earlier. The community is need of more meetups, conferences and live hacking events where people can meet, get to know each other and share knowledge. Example of Hacken Cup organized by HackenProof, HackerOne’s various live hacking events across the world as well as Bugcrowd’s bug bash, etc.