Hackers are a major threat to the US government and its military. The US Air Force (USAF) got hacked by a 17 year old high-school student, who instead of getting punished, raked hundreds of thousands. However, it wasn’t a malicious attack, instead, the teenager participated in the air force’s bug bounty program.
17 year-old Jack Cable topped the air force’s bug bounty program – Hack the Air Force – by identifying 30 critical vulnerabilities and reportedly took home a massive cash prize, with the Pentagon paying out prizes ranging $100 (£77) and $5,000 for each vulnerability. Some of the bug bounty’s top hackers reportedly got over $130,000.
Unlike other bug bounty programs, the USAF made its hackathon open to hackers from across the globe. The air force said that 33 hackers that participated in the bug bounty program “came from outside the US,” while two were active duty US military personnel. The air force also confirmed that Cable earned “the largest bounty.”
“I found what’s known as an XML external entities vulnerability. That handles the applications processing of XML, which is a type of input data. I found that I could give it a URL and the application would make a request to that website. And I was able to escalate that after working on for a few hours into a remote code execution. So that would allow me to basically do whatever I wanted. So I could access all the user data that was on the website and I could change anything that I wanted to,” Cable told Marketplace.
The USAF bug bounty was reportedly run by the HackerOne platform and invited around 600 hackers from the US, Canada, UK, Australia and New Zealand. All the five nations are part of the Five Eyes intelligence alliance.
Cable also reported vulnerabilities in India-based food app Zomato. In May, 17 million Zomato user accounts were put up for sale on the dark web. However, shortly after the breach, the food and restaurant searching app launched its own bug bounty program.
Bug bounty programs have gained popularity over the past few years, with platforms such as Tor, recently launching its own program. In the past, tech giants such as Google, Twitter, Facebook, Apple and others have paid out white-hat hackers substantial cash rewards for finding bugs and helping improve their cybersecurity infrastructure.
Source : IBtimes