The security researcher says it’s ‘our duty’ to sound the alarm over vulnerabilities – but getting organizations to listen can be a different ball game
Critical infrastructure in Africa represents an alarmingly easy target for cybercriminals, a French-Senegalese bug bounty hunter tells The Daily Swig.
In a wide-ranging interview, Clément Domingo, who also works as a security engineer for a major French company, reflects on the gap between French and US attitudes to ethical hacking, why patience can be a virtue when reporting vulnerabilities, and participating in capture the flag competitions for the Hexpresso team.
Given you’re also employed as a security engineer, how challenging is bug bounty hunting as a full-time career? It must be difficult for some, not knowing when the next paycheck is coming.
I’ve worked in the cybersecurity field for around eight years now and have been doing bug bounties for five.
[I know] many guys that have just burned out [doing bug bounty full time] because they are so stressed.
Bug bounty is quite stressful if you don’t also have a good job.
Which technology areas do you most enjoy or find most rewarding?
I enjoy web security the most, so most of the time I do web security, but in the past two years I’ve dived a bit more into mobile applications because I noticed that many guys in cybersecurity research don’t do a lot [in this area].
You find a lot of things in mobile that you cannot find on the web. I found some critical vulnerabilities in a very big mobile application.
When people are trying to build a mobile app, they don’t often think about the ‘dark side’.
When web developers write an application, they try to log a lot of information, including critical information, so when you try to decompile the application, you can, for example, find some secret token, some secret keys, and then try to decode all the user information.
You have some frameworks, you have some CMS, and things tend to be more secure and more complicated to exploit than 10 years ago.
[But] it’s quite complicated now to find SQL injection or some other error in mobile applications.
Tell us a bit more about the critical flaw you found in a mobile application…
I found three trivial vulnerabilities that separately wouldn’t have a big impact, but because I chained them [they became critical] and I got the maximum bounty.
The first one was a simple [vulnerability] that allowed me to access user information.
The second one was abusing a legitimate SMS feature. For example, when you send money to other people you get a notification.
In maybe one hour you can send 1,000 SMS messages, but what if you find a way to send it to more than 1,000 – for example, 10,000 or a lot more?
There was a limitation to just one country, but I found a way to bypass it and send SMS all around the world.
I think many young bug hunters, when they find vulnerabilities, tend to report them immediately.
Maybe if they dig some more, they can maybe find other vulnerabilities, chain them, and the impact will be very big.
What bug bounty programs are you working on at the moment?
Ninety percent of my research is for French cybersecurity programs because I’m French and we have a lot of good programs.
In the last three years I’ve been focusing on two major programs – one is private, which I can’t disclose, and another is for BlaBlaCar [a popular French online marketplace for carpooling].
It’s very important to me to learn something new, and this is really challenging because it’s a very specific technology in which I don’t usually work.
At first, I didn’t know anything about this, [and when I’m new to a technology] I maybe install a lab, and try to [do some testing], before [I attack] the real target.
Have you had any problems disclosing security bugs or dealing with companies?
Here in France, we don’t do bug bounty like in the rest of the world. We have two major platforms: YesWeHack and Yogosha.
I’ve heard of some French bug hunters facing some problems when they submit a bug report, but so far, I haven't faced many problems.
I did stop hunting on one program, because it was not really a professional [setup]. I submitted six SQL injections, and the guys didn’t understand [cybersecurity] and they just paid me €100.
So, I quit and stopped hunting for the program. When you are doing bug bounty, whether you are a company or a bug hunter, both parties have to share knowledge and try to work together.
If I don’t have this kind of exchange, it’s not very useful for me.
Clément Domingo is on the Hexpresso capture the flag team
You said that France has a different approach to bug bounty than Europe or North America. What would you say are the key differences?
Here in France, bug bounty is very young. It started a maximum of five years ago. In the US it was maybe 10 years ago.
You don’t have a lot of [researchers] doing bug bounties, and you don’t have a lot of companies doing it, because there’s a cultural [difference].
In the US there are many companies that do it.
In France, when you say to people, “I work in cybersecurity”, they are kind of suspicious.
When you say, “I’m a hacker”, they think you want to steal their data. So, you have to explain that you are trying to keep their data safe.
That mindset has to change before we can reach [the same] level [as the US].
In a previous interview you talked about probing systems in Senegal?
It was a negative experience because the mindset isn’t up to date. During the lockdown I found a critical information leakage flaw – [potentially affecting] maybe two million people, including names, emails, addresses, and some other critical information.
I tried to contact [the company] immediately, and it was so complicated to reach the right person, explain why it was so critical, and why they had to patch this very quickly. I finally quit because it was so complicated.
I tested it again a few weeks ago and I was so disappointed, [the vulnerability] was still there.
What’s your thoughts about the state of cybersecurity elsewhere in Africa?
It’s something that we don’t discuss a lot [in the cybersecurity industry] but I’m trying to discuss it.
When I use Shodan and find some critical information in some critical infrastructure that is not protected, [it makes me] think that the next big target will be in Africa. You have networks, the IoT, and lots of projects without any cybersecurity.
When you try to search [for information] about cybersecurity in Africa, you find nothing. It’s quite a new topic that needs to be discussed.
So, I think it’s our duty to alert people to these things, and try to [educate people on] what is a bug bounty, what is cybersecurity, how to protect data, and how to use the internet securely.
Tell us about your experiences with the Hexpresso team in capture the flag (CTF) competitions?
We’ve been doing CTF for six years now. At the very beginning, we were just newbies, but we wanted to learn more, so we started doing CTF [challenges] during the weekends.
Over the years we grew together and went on to win prestigious CTFs around the world. We also had big opportunities to do some CTFs in China and Russia.
It is one of my best experiences because in the Hexpresso team we are all friends, we meet to share some beer, some wine, to talk about cybersecurity. In Hexpresso we have some incredible guys.
The two past years we have also been organizing some CTF here in France, and in Africa.