Flying is a pain. Booking flights can be just as annoying. But, as one of Checkmarx’s own recently discovered, booking your flight can also be dangerous. David Sopas, a Portuguese security researcher at Checkmarx who hunts bug on the side, found a common, highly disruptive security vulnerability on one of the largest airlines in the world.
“I can’t disclose the type of vulnerability,” David said, noting the disclosure agreement with United Airlines, the airline in question. “But the impact of the bug was the ability to launch web attacks on United customers using the site.” The vulnerability has since been fixed on United’s website.
For his findings on United’s customer-facing website, David received 50,000 miles, which would have enabled him to travel extensively. Yet David chose to donate his winnings to the American Cancer Society. “I donated to this organization because I’ve had relatives who’ve suffered from [cancer] and I know what they dealt with,” David told us. To David, bug hunting is a challenge – not a job.
Not His First Bug Bounty Rodeo
David is no stranger to bug bounties like United, having disclosed tens of vulnerabilities on websites big and small that have resulted in payouts and advisories. Back in the early 2000s, David found numerous SQL injections in major e-commerce web apps. “One of [my findings] was used in a special article on SecurityFocus, explaining how bad SQL injection could damage your company.”
He’s discovered XSS on eBay, found that Google Bots could attack sites via SQL injection, and disclosed both CSRF and XSS on RunKeeper that, when paired together, could infect hundreds of thousands of RunKeeper users’ machines, ala the Samy worm on MySpace.
David got started in bug hunting, or as he likes to call it, “bug appreciation programs,” purely by luck. After discovering a security issue in a program on Cobalt.io’s platform, Cobalt invited David to research their site, where he found plenty more bugs. It’s that spirit of curiosity that got him into security in the first place.
From Toy Hacks to Web Hacks
David got into security the way many do – as a curious kid. “Since I was a kid I’ve wanted to know how things worked and, if possible, hack them,” David told us. “I dismantled a lot of toys and most of them didn’t work after I was done with them. That was sad – but challenging.”
By the time he got to high school, David was spending all his free time on IRC security channels, learning by interacting with more experienced hackers. “I’m a self-taught person, so most of what I know today was based in my own training,” David said.
He broke into the industry in 2003, when David found and published his first security advisory in Secunia – an XSS vulnerability in an open-source application. “Since then,” David told us, “I’ve published more than 50 security advisories in well-known web apps, both open-source and commercial.”
Bug Bounty State of Security
The continued success of bug hunters around the world is an amazing nod to the collaboration between security researchers and companies trying to improve their application security standing, yet underlying that is a more sinister side to the story. Because the wild successes that bug bounties have enjoyed mean that we still have a long way to go before organizations are on top of security, instead of relying on bounty hunters and customers to detail vulnerabilities in their applications.
OWASP Top 10 vulnerabilities continue to run rampant on web and mobile applications. With the amount of critical, sensitive data kept on applications, both those used within organizations and by their customers, organizations need to pay closer attention to the integrity of their code. Bug hunters like David are a great addition to a full-fledged security program – but bug bounties are not a solution to a wider problem of vulnerable code. For every white hat like David, there could be hundreds of script kiddies and more sophisticated hackers trying their luck at hacking major sites for less-than-savory rewards.
“Even if your web application has a security department,” David told us, “they could miss something. That’s why it’s important to constantly check your application. Some companies rely on those ‘seals’ telling us they’re protected…That’s wrong – and proof that it’s wrong is that even the companies offering protection have vulnerability appreciation programs.”
The silver-lining is that there are people like David out there, taking the opportunity bug hunting provides him to research security issues and further teach himself and get rewarded in return – even if he rarely keeps them. “Many of the rewards I’ve won were donated to healthcare institutions and local animal shelters,” David said. If we all give a little, the world would be a better place, right? At least that’s what I think.”
Follow David on Twitter @DSopas and subscribe to the Checkmarx blog to keep up with David’s security research!