Hong Kong hacker @filedescriptor likes to hack on Twitter, Google and GitHub because he’s active on all three, and being very familiar with their features adds an extra layer of fun for him. He’s ranked in the top percentile of hackers on the HackerOne platform earning himself invitations to multiple global live hacking events including London, San Francisco, Las Vegas, New York, Montréal, Vancouver, Singapore and most recently, a few virtual ones, as well. Filedescriptor says he owes a lot to the community and has been giving back by posting security research, blogs, and videos produced by him, @ngalongc and @EdOverflow on their YouTube channel. Check out our interview below to learn more and get inspired.
How did you come up with your HackerOne username?
There was a CTF which involved a file descriptor and I thought that was clever. I didn't have a "hacker" name at that time so I chose it.
How did you discover hacking?
There were multiple stages where I discovered and rediscovered hacking. The very first encounter was in elementary school where I discovered a way to do online homework before it's released. I noticed the URL in the address bar looked something like /homework?date=2005-05-05. I was thinking if I changed it to a future date, would I be able to access it? It worked! I didn't know that was hacking at the time because it was so simple.
When I was in secondary school, I was learning to develop PHP applications. I was reading a book about AJAX and in the last chapter it talked about security — SQL Injection and XSS specifically. Every vulnerability example it mentioned was exactly what I wrote in the code! I then tried to hack my own application and was fascinated. From there I looked up more security information from the Internet and learned OWASP Top 10.
What motivates you to hack and why do you hack for good through bug bounties?
It's challenging and rewarding, and I get to help companies become more secure. Learning new stuff makes me giggle. The community has played an important role in my learning process and I have met a lot of people along the way. Of course, money is also a big motivation.
What makes a program an exciting target?
Having a scope with depth instead of breadth is important and exciting. I focus on features at the application level with business logic issues.
What keeps you engaged in a program and what makes you disengage?
Having good communication from the team keeps me engaged. A good program, for example, is responsive and comes with fair payouts. I avoid programs that are not responsive and have a lot of duplicate bugs.
How many programs do you focus on at once? Why?
One at a time. Only digging deep allows me to unveil bugs that nobody has found yet.
How do you prioritize which vulnerability types to go after based on the program?
I go for simple bugs that have huge impacts. Often they are in Authentication, Access Control, Business Logic, or XSS related.
How do you keep up to date on the latest vulnerability trends?
Twitter. Collaboration with other hackers. My pentesting job.
What do you wish every company knew before starting a bug bounty program?
They should conduct a penetration testing before releasing a program (even if it's private). It's discouraging for both hackers and the program when tons of duplicates are submitted.
How do you see the bug bounty space evolving over the next 5-10 years?
More programs. Better payouts. Greater competition.
How do you see the future of collaboration on hacking platforms evolving?
More and more people will collaborate because we all have different sets of skills. I wouldn't be surprised if it became esports like!
Do you have a mentor or someone in the community who has inspired you?
Egor Homakov and Mario Heiderich. I enjoyed Egor's bugs and discovered bug bounty from reading his blog. I learnt a lot of XSS tricks from Mario's work.
What educational hacking resources would you recommend to others?
Check out our YouTube channel Reconless!
What advice would you give to the next generation of hackers?
Those hacking scenes you see on the movies where hackers smash the keyboard with a bunch of terminals open are inaccurate. In reality, you most often just need to change one parameter and it's already a critical bug. Don't be scared and think hacking is rocket science!
What do you enjoy doing when you aren't hacking?
Tetris, chess, touch typing, watching YouTube videos, learning smart contracts.
Any last-minute thoughts you want to share?
Hacking has completely changed my life and I will never forget.