In January 2018, I hacked a Thomas the tank engine application as part of a bug bounty (awarded $1750 for two bugs). This talk will discuss the process of finding the vulns and details of the security flaws that were submitted to the organisation.

Is there a way to hack legally and getting paid for it? Well there are professions such as penetration testing but this has two major downsides - 1) dealing with clients can be messy and 2) it’s not always fun being told what to hack.

Bug bounties offer an alternative, with some people making millions by doing what they love - hacking things. In this talk, we’ll discuss what bug bounties are and why they can be the perfect way to practice hacking in a safe and legal way. We’ll be discussing the vulnerabilities I found in a Thomas the tank engine android application that allowed me to take over accounts, looking at how the weaknesses were discovered and the way they could be exploited by an attacker.

Comments

Comments are closed.

Tom at 16:15 on 20 Oct 2019

Great intro

Andrew Howe at 17:52 on 20 Oct 2019

A really interesting introduction to the world of bug bounties through Jay's real world experience with a particular app. The story and information was presented in an interesting and easy to understand way. Thanks to Jay for putting on the talk.