In January 2018, I hacked a Thomas the tank engine application as part of a bug bounty (awarded $1750 for two bugs). This talk will discuss the process of finding the vulns and details of the security flaws that were submitted to the organisation.
Is there a way to hack legally and getting paid for it? Well there are professions such as penetration testing but this has two major downsides - 1) dealing with clients can be messy and 2) it’s not always fun being told what to hack.
Bug bounties offer an alternative, with some people making millions by doing what they love - hacking things. In this talk, we’ll discuss what bug bounties are and why they can be the perfect way to practice hacking in a safe and legal way. We’ll be discussing the vulnerabilities I found in a Thomas the tank engine android application that allowed me to take over accounts, looking at how the weaknesses were discovered and the way they could be exploited by an attacker.