“Seeing an exploit without understanding how any of it works felt like witnessing someone doing actual magic.” In his search to understand new-to-him security vulnerabilities, Matthew Bryant (@iammandatory) has found some iconic bugs. He chatted with us about those finds, collaboration, and the tools he builds as a modern-day security magician.
Tell us a bit about yourself.
I’m a hacker who’s pretty passionate about what I do. I’m a college dropout working in the security industry turning Diet Coke into bug reports. I wouldn’t describe myself as particularly smart, but I’ve gotten pretty good at forcing myself to work hard until I understand things. I try not to take things too seriously, and love to talk with people with unique personalities and perspectives.
How did you first get interested in computers and hacking?
It started as a love for the “dark magic” side of hacking. Seeing an exploit without understanding how any of it works felt like witnessing someone doing actual magic. In a lot of ways it still feels that way to me even today, despite the fact that I now have a greater understanding of how it all works. It’s super cool how I can view a year old exploit I’ve made and suddenly it’s magic to me again because I’ve completely forgotten how it all worked.
Did you have a mentor who encouraged your interest?
I’ve had quite a few mentors over the years I think. Mainly smart people I’ve worked with and around. I wouldn’t say there’s one person specifically, but I know some people reading this will know who they are. I often wonder if the people who write random security blog posts know how much their work has taught me.
What motivates you to do this type of work?
A number of things - mainly the people, challenges, and the satisfying feeling of finding something really subtle and high impact. There’s honestly nothing better than working long hours to find a bug and coming up with something really clever.
On your blog you often reference collaborators. What role does collaboration play in hacking and which hackers do you follow closely and admire?
Collaborating (whether mentioned or not) definitely plays a big role. I think the quote “good artists copy, great artists steal” really can’t be understated when it comes to security. For this reason, I try to always make a conscious effort to not discount other hacker’s approaches to problems. When I collaborate and work with other people in the field I try to take in all of their best traits and learn them myself. I also always try to ensure everyone gets proper credit when they help with work (even if it’s behind the scenes). There’s nothing that people get broken up over more in this industry than claiming other people’s work as their own, or not getting appropriate credit where it’s due.
If I had to list all of the hackers I admire it would probably be most of this Q&A. Some that come to mind are Moloch, Shubs, Lavalamp, itsC0rg1, HackerBadger, Robr, Jordan, vt, Nyx, Redshift, BoredEng, Conan, zemnmez, PWNetrationguru, fin1te, Alex, libber, basically everyone on the Google and Uber security teams (too many to list), the Bishop Fox folks, and a bunch of the bug bounty hackers (you know who you are). If I left anyone out I’m sorry, I blame the lack of sleep I get and I promise I’ll buy you a beer to apologize!
You found an RCE in Signal while attempting to independently validate the one found by Iván Ariel Barrera Oro, Alfredo Ortega, and Juliano Rizzo. Is this a common way for you to grow your skills? What advice would you give to others looking to get into hacking?
I think this was a good example because it reflects how a lot of my hacking comes from me just getting super interested in something and digging deeply into it until I find bugs. In this case, I just saw a tweet on Twitter and decided to see if I could reproduce it. I really feel like I don’t get to control what the next thing will be, it just seems to happen.
If you’re looking to get into hacking I’d say get into security consulting (as crazy as it can be) and work closely with the most talented hackers you can find. Try to soak up as much as possible, be humble, and don’t idolize people who you wouldn’t want to be roommates with. I remember when I first started working in security and I would write down every term people said at work that I didn’t understand and would go home and cram-learn it. You do that for long enough and I guess eventually you start to know what you’re talking about (I assume).
You have written or collaborated on several open source tools for hacking. What role does programming play in your hacking?
Programming is essential to my hacking and I find myself writing more and more code as I get better at finding vulnerabilities. It serves a few different roles for me:
It allows me to really understand what goes through the mind of a developer when writing code. Some of the crazier exploits I’ve been able to find have been because I was able to think “how would I write this functionality?” and realize what mistakes I would’ve made. In my opinion, this is the “sixth sense” that I’ve observed in a lot of strong hackers who seem to be able to just look at an application and tease out even the most obscure bugs.
I hate doing repetitive tasks and I’m always looking for shortcuts so I don’t have to do menial work. If I see something that can be automated but I don’t have time to write the code I’ll throw it in my TODO and work on it later. Most of my tools (for example tarnish) are exactly that: a tool that I needed during an audit that didn’t exist - so I wrote it.
When I am doing vulnerability research I often need to collect data to investigate if a theory is correct. Being able to whip up a script to validate my theories is really cool, and it is a lot of what I love about writing code.
What types of bugs do you like to hunt?
While I try to never neglect the bread and butter vulnerabilities (e.g. the OWASP top 10 style issues), I really like to find new or obscure bugs. By “new bugs” I mean finding new systemic problems with existing frameworks, platforms, etc. It feels really cool to break new ground on something where very few other people have bothered to investigate. For example, I think a lot of the domain-hijacking/expired assets research was a good example of this. Additionally, when I see a new vulnerability others have found I put it on my “to-find” list for future audits.
What’s the one bug you’re most proud of yourself for finding?
This is a really tough one. It’s a close call but I think the .io TLD hijacking vulnerability probably takes the cake. The main reason being that this was the result of a few months of research I had been doing into TLDs and the DNS. Often times when I’m engaging in really lengthy research efforts I’ll have thoughts like “Am I wasting my time with this? Is this just me trying to find something where nothing exists?”. So having a high impact finding come out of it was very validating for me. Vulnerability hunting can be really painful in this way because you can spend a lot of time finding absolutely nothing and get really discouraged.
What’s the biggest bounty you’ve received?
I don’t often submit to bug bounties just because I don’t have enough time to do it on top of everything else. It might be the bug bounty Google awarded me for a DNS issue I reported to them (1337$), I ended up donating it to the Tor Project and they doubled it! Not super impressive in amount compared to what I’ve seen, but hey, my taxes are simpler this way.
What’s the best piece of swag you’ve received?
This is a great question. I have so much HackerOne swag at this point that I feel like a Nascar driver (especially given all the logos plastered on my laptop). That being said, the flat screen TV that Samsung sent me for reporting an account hijacking vulnerability in their store back when I was in college is probably it (I still use it today!). They actually didn’t tell me beforehand so when I got it I actually had a brief argument with the delivery person over whether or not the delivery was a mistake. “Your name is Matthew Bryant right? And you live at this address? Then this package is for you! Sign for it.”