Dropbox uncovers 264 vulnerabilities in HackerOne Singapore bug hunt

Cloud storage vendor forks out US$319,300 in a one-day bug bounty programme that galvanised 45 HackerOne members in Singapore, where two hackers discussed their strategy and offered advice for businesses to better secure their systems.

Dropbox has uncovered 264 vulnerabilities, paying out US$319,300 in bounties, after a one-day bug hunt in Singapore that brought together hackers from 10 nations around the world. Hosted by bug bounty platform HackerOne, the live event saw 45 of its members from countries such as Japan, India, Australia, Hong Kong, and Sweden, and some as young as 19, band together in the city-state in an attempt to infiltrate Dropbox's targeted systems. 

The cloud storage vendor days earlier had revealed parts of its "attack" scope, so HackerOne members had already identified and submitted dozens of potential bugs before the live event. According to a company spokesperson, the focus this time was on Dropbox and its recent acquisition of digital workflow platform, HelloSign.  

Noting that the company already had a mature bug bounty program, the Dropbox spokesperson said it had established a "well-defined process" for reviewing bugs reported from such initiatives as well as determining their severity and necessary remedies. 

Key takeaways from Singapore healthcare data breach

No system is infallible and cybersecurity breaches are inevitable, but Singapore needs to do better in mitigating the risks and following through on its pledge to safeguard citizen data.

Read More

"Like all of our bug bounty efforts, we hope to leverage the unique perspectives and efforts of the participants to help us continue to make our products secure," he told ZDNet. "While we already have one of the most permissive scopes in the industry, we've expanded it even further for the live-hacking event [in Singapore]. Dropbox strongly encourages all companies to invest in a bug bounty program and considers a well-run bug bounty program to be a sign of technical security maturity."

Amongst the coup of 264 in Singapore were vulnerabilities uncovered in Dropbox, HelloSign, and the systems of vendors that worked with Dropbox. 

HackerOne has put together more than 1,300 such programmes since it was founded in 2012, paying out more than US$49 million to its hackers. There currently are more than 390,000 registered hackers on its network. In Singapore, it has worked with clients such as the Ministry of DefenceGovTech, and Grab. 

HackerOne CEO Marten Mickos expressed hopes of hitting US$100 million in paid bounties by end-2020, which would coincide with his aspirations to also have a community of 1 million ethical hackers on its platform. By then, the company expects to have helped its clientele identify and fix more than 200,000 vulnerabilities, including 16,000 bugs of critical severity. 

The company seven months ago set up its Singapore office, which serves as its Asia-Pacific headquarters and supports customers in China, Australia, and Thailand, amongst others. 

Asked how its services differed from security consulting firms, Mickos said there was still a role for third-party consultancies if businesses had a specific problem they were looking to test. "The power of our community is its diversity. Our hackers come without prejudice and know they will get paid only if they find something, so they'll keep looking until they do," he said. 

Luke Tucker, HackerOne's senior director of community and content, said the company worked with clients to determine how many hackers would be invited, and flown into the location, to participate in a live event. Customers also were encouraged to have their own security team join in the bug hunt. 

Tucker added that the client would determine the amount of bounties it wanted to pay and HackerOne would get a commission of the payout. To date, the highest ever paid in a single-day event was US$400,000, he said, adding that multi-day programmes could see bounties exceeding US$500,000.

HackerOne customers also pay a subscription to access services such as its triage team, which is responsible for reviewing and validating bugs that are found during a programme, he said.

To select the hackers who would participate in a programme, HackerOne would evaluate the hacker's position on the company's leaderboard to assess their consistency and profile, including the hacker's accuracy and impact of bugs found. Tucker added that HackerOne also ran Capture The Flag games designed specifically to identify hackers' skills in specific areas such as mobile apps. 

Amongst those who participated in the Dropbox bug hunt in Singapore was Jack Cable, a freshman currently studying computer science at Stanford University. 

At 19, Cable has been a HackerOne member for the past three years and participated in more than 100 bug bounty programmes, including for Google, Facebook, and the US Department of Defence. To date, he has identified more than 250 vulnerabilities, including more than 30 involving the US Airforce. The bounties he earns have gone towards funding his college education, but he declined to reveal how much he has raked in so far.

Before the Dropbox live hacking event commenced, he already had identified 10 bugs. 

Fellow HackerOne peer and 26-year-old security engineer, Kaung Htet Aung, also participated in the Dropbox bug hunt. 

Kaung, who is from flew in from Myanmar, has participated in more than 40 programmes, including another live event in New York, since joining HackerOne just under two years ago. His current tally clocks at some 100 vulnerabilities and he, too, found five vulnerabilities before the start of the Dropbox live hacking event.

Kaung majored in computer engineering at the National University of Singapore and said he built up his hacking skills by playing HackerOne's Capture The Flag games.  

Look long enough, holes will be uncovered

Asked which systems were the weakest and hardest to infiltrate, Cable said this depended on the maturity of the organisation's systems and orientation in terms of security. Regardless, he noted, every system would have vulnerabilities. "If you look at it long enough, you're going to find them," he said. "What matters more is how companies respond to the flaws they find." 

Businesses should recognise their systems are likely to have flaws and be willing to find and resolve them, Cable said, and added that their systems could only be secure if they first acknowledged this.  

Mickos concurred, noting that every system had holes and companies should always strive to fix them all. "Start by focusing not on where you are most vulnerable, but where you have the most value at stake such as systems that hold customer data or medical data," he said. Internet of Things (IoT) devices, for instance, typically were poorly protected but usually did not contain much sensitive data, he noted. 

Both Cable and Kaung urged companies to always plan for and look at security from the start and throughout the entire lifecycle of their software development. 

Cable noted this would be difficult when businesses have other issues to worry about, but they needed to realise their security posture could be better established if they took action ahead of time--while they were developing the software. 

Kaung agreed, adding that organisations should carry out security tests and reviews as part of their software development timeline. "So while they're developing it, they're making it secure at the same time," he said, noting that this also would ensure additional features were not released unsecured. 

According to Tucker, there had been four to five instances where HackerOne members had been offered jobs at companies that participated in bug bounty programmes. 

Dropbox told ZDNet it invests "heavily" in building its own security team and educating its employees on security best practices and the current threat landscape. This enables everyone within the organisation to better arm themselves against attacks such as spear-phishing and social engineer, the spokesperson said, but did not say how big its security team was.

He also declined to reveal how many hacking attempts Dropbox detected and blocked a day, but said its global user base of more than 500 million meant the challenges it faced were experienced by few other companies globally. He also declined to detail how many hacking attempts originated from Asia or how many of its users were from Asia.

For its 2018 financial year, Dropbox clocked US$1.39 billion in revenue -- up 26% from the previous year--and collected US$117.64, on average, in revenue from each paying user. 

RELATED COVERAGE

19-year-old makes millions from ethical hacking

The Argentine teenager has topped the charts when it comes to bug bounty hunting.

Singapore to offer bug bounty, set up Asean cybersecurity centre

Singapore government will launch a bug bounty initiative by end-2018, when local and international hackers will be invited to test systems for vulnerabilities, as well as a cybersecurity hub next year to facilitate collaboration and training efforts amongst Asean country members.

Singapore arms up on cyberdefence experts, opens cyberdefence school

Country's defence ministry plans to hire 300 specialists trained in areas such as network monitoring and vulnerability assessment to better safeguard its systems and has opened a school to arm future recruits with cyberdefence skillsets.

Singapore defence ministry invites hackers to breach its systems

Country's Ministry of Defence will run a "bug bounty" programme, led by HackerOne, inviting hackers worldwide to identify vulnerabilities in its internet-facing systems.

EU to fund bug bounty programs for 14 open source projects starting January 2019

Some of the approved projects include KeePass, 7-zip, VLC Media Player, Drupal, and FileZilla.