HackerOne

Hacking the Singapore Government: Q&A with Hacker Personality Samuel Eng

Q&A With Hacker Samuel Eng

Hackers represent a global force for good, coming together to help address the growing security needs of our digital society. They can be found in over 170 countries across the globe with a growing base of talented hackers in the Asia Pacific region. Among them is Samuel Eng (better known online as @samengmg), a 30-year old hacker from Singapore, who is one of the top performing hackers on the most recent Singapore Government Technology Agency (GovTech) bug bounty program

Like most hackers today, Samuel is self taught and his bug bounty experience is extensive and varied. Not only is this not his first time hacking on the GovTech programs, but he has also reported some very interesting, but critical, bugs on non-government programs, which you can check out here and here

We recently sat down with Samuel to learn more about his hacking career, the future of hacking in Singapore, as well as to hear his advice for new hackers. 

Samuel Eng

Q. Congratulations on being one of the top 3 hackers on the most recent GovTech Bug Bounty Program. How do you plan to spend the bug bounty money?

Thank you :) The extra cash certainly is most welcomed. I've bought some furniture for my up and coming new house.

Q. When and how did you start hacking? Do you have a favorite type of bug or a bug that you were most proud of? 

I started learning about hacking in my University years around the age of 23. Like most hackers, I am self-taught. I love server side vulnerabilities such as Server-Side Request Forgery (SSRF), Server Side Template Injection (SSTI) or code injection bugs. 

I did take a lot of certifications such as Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE), for example, and I read a lot of blogs, including Chinese, South Korean and Russian security blogs. I do not want to miss any information.

There was a SSRF bug in a PDF generator which set the tone in my HackerOne part-time career. Although HTML injection was possible, I had to bypass a tricky Web Application Firewall (WAF) to inject javascript. After getting file read access using the injected javascript, I reported what I had found to the program showing the usual /etc/passwd's contents thinking it would be enough to get the max bounty. About 15 minutes later, the program owner replied, stating that since the server was using Kubernetes, the impact was not that severe.

At that point, I didn't even know what Kubernetes was  and I had to do extensive reading and actually set up my own environment to understand Kubernetes better. Eventually, I learned about some of the insecure configurations that developers tend to introduce and as a result, I was able to showcase a greater impact to the program owner.

Q. Do you remember when you found your first bug? What was the type of bug? How did it feel to find it? 

My first bounty in HackerOne was from Zomato. It was a SQL injection (SQLi) in a cookie. On Saturdays, I usually spend my time doing physical activities, but on that particular day, I was sick with the flu. Since I am a person that cannot sit still, I decided to start hacking (not advisable!). I decided to try weird stuff and start fuzzing weirdly named cookies. I was shocked that it actually worked. The moral of the story is that if you never try, you will never know :)  You can find my first report here: https://hackerone.com/reports/300176

Q.  What motivates you to hack for good?

I see hacking as a form of hobby. Plus, the feeling of accomplishment when a company replies with an appreciative message for the work that we do cannot be found elsewhere.

Q. Are there any hackers that you look up to?

If there was one, it would be @filedescriptor because his reports always require multiple reads to fully understand the attack chain :)

Q. Do you think the perception of hackers is changing globally? And how about in Singapore? 

There is a positive perception of what it means to be a hacker not only in Singapore but globally as well. As mentioned before, I always receive  a positive response when I inform my friends and family that I am hacking as a career. Before bug bounty platforms came about, this was likely to  be frowned upon. I think HackerOne has done an amazing job in showing the world that not all hackers are bad.

Q. Do you think hacker-powered security is becoming a widely accepted concept in Singapore? 

Definitely. Bug bounties are getting more and more popular in the cyber security industry and they go hand in hand with penetration testing as a form of defense-in-depth solution.

Many companies in Singapore are actually planning on having a bug bounty program but there are also challenges such as budget, legal and the fear of change. 

Q. What are your hopes for the cybersecurity landscape in Singapore? 

I think the Singapore Government certainly keeps up to date with the industry as shown by embracing bug bounties together with the usual compliance/pentest process. I hope more young students will join our industry and show that Singaporeans can do it too!
 

The 7th Annual Hacker-Powered Security Report

Hacker-Powered Security Report