The big bug hunt

“IT CAN be kind of addictive,” says Emily Stark, a Californian engineer who started looking for bugs in websites in her evenings after work. “There’s a lot of low-hanging fruit out there.”

There are also a lot of Emily Starks out there, for anyone with a computer and a penchant for puzzles can be a bughunter. You learn the basics from online guides and discussion forums, and practise on websites built to be broken into, such as Google Gruyere, which gives hackers a training ground. Ms Stark earned a tidy sum reporting bugs to Twitter, Square, Slack, WePay and Coinbase. She got so good at it that Google recruited her, and she now has a full-time job in the firm’s security division. But Google also offers opportunities for those who wish to stay freelance. Its bug-bounty programme pays anything from $500 for spotting a minor security error to $50,000 for breaking into a Google-made laptop.

For Ms Stark, in her freelance days, a typical session began as it would start for many bughunters. She would pick a promising website and enumerate the ways in which users could engage with and change it, for these are the points of vulnerability—and, in her experience, few websites get every part of their user-authentication procedures right.

After someone logs in to his bank account, for example, his browser sends the bank’s server some information to identify who he is. This is the online equivalent of a customer in person showing a bank clerk an identity card. However, unlike a bank clerk, a web server cannot easily keep track of who a visitor is. It has to ask to see the user’s ID every time he loads a new page or refreshes an old one. To save the user’s time and sanity, his browser therefore stores this ID in a small file called a cookie.

To be secure, the browser should offer the contents of the cookie only in response to requests that come from the bank’s website. It should certainly not show it to other websites. The bughunter’s job, in this case, is to coax it to do so.

One way to attempt this is to sneak a series of commands, known as a script, into the user’s browser. To get access to the user’s ID cookie, the script will have to pretend it is coming from the bank’s website. A bughunter may thus, for example, try to implant a script into that website by entering it into a badly designed web forum as a comment. When a comment (any comment) is entered into such a forum, it is automatically embedded into a new page on the website. Instead of posting an innocent comment, the bughunter will submit a script that tells the browser of anyone subsequently looking at that page to send details of his user-ID cookie to the bughunter. Visitors to that forum page will thus have their ID stolen. This form of hacking is called “cross-site scripting”. It accounts for 80% of website-security problems according to High-Tech Bridge, a computer-security firm.

Since cross-site scripting involves browsers and websites, those at highest risk from bugs are browsermakers like Google, and the makers of websites that store users’ details, such as Facebook. Hence Google’s bounty programme, and hence also the fact that Facebook has paid out, over the years, some $3m in bounties.

Not surprisingly, bughunters are starting to band together and firms are springing up. One such, Bugcrowd, has 19,000 active hunters on its books, 30% of whom are based in India. The lower cost of living there than in, say, California means freelance bughunting can be a sensible career, not just a source of pin money. It also lets hackers strut their stuff in an environment where foreign computer firms may notice their talent.

Bughunting is not all sweetness and light, of course. Some hunters, and even some bughunting firms, sell to the highest bidder regardless, especially if the firm whose weakness they have discovered has no formal bounty programme. Hacking Team, an Italian company, has come under fire from a member of the European Parliament for allegedly aiding espionage by oppressive regimes. In an ironic twist, the firm had its own data hacked in July. These data suggested it had received millions of dollars in fees from governments that included Russia’s and Sudan’s.

Even being a good guy, though, can be hard. As one understandably anonymous hacker put it, “If I were to ask a company without a bounty programme for compensation, it could easily be considered extortion.” Nor is it clear that the authorities understand the value of honest hackers. The Wassenaar Arrangement, an international pact to regulate the export of weapons, includes a provision that “intrusion software” cannot be transferred across a border without a licence. On July 20th Google stated its opposition to America’s implementation of the agreement, since this would limit the transfer of hacking software used by its bughunters, thus disarming Ms Stark’s successors.