‘I like Android apps and open-source code’: HakuPiku on Bug Bounty, CTFs and his favourite targets

October 28, 2024

Ethical hacker HakuPiku talks on camera to YesWeHack about his Bug Bounty career and his preference for hacking Android apps and open-source code

HakuPiku’s skillset and perspectives as a Bug Bounty hunter have been shaped by his experiences as a former developer, ex-pentester and participation in capture-the-flag (CTF) competitions.

Speaking to YesWeHack during a live hacking competition earlier this year (video and transcript below), the Swedish ethical hacker (real name Eldar Zeynalli) reflects on his Bug Bounty career so far. He talks about how he got into hacking, compares Bug Bounty to pentesting, discusses his preference for Android apps and open-source code, revisits his most critical find so far, and explains which (non-IT related) profession bug hunting most resembles.

Registered on YesWeHack since 2022, HakuPiku is a full-time security researcher and bug hunter and finds time to also play CTFs with the Kalmarunionen team, which has won numerous events over the years.

HakuPiku on how he acquired his hacker alias…

Back in high school I guess. Like 8-9 years ago, I was super interested in Japanese anime novels. There was this novel that I liked, and I got the name ‘Hako’ from that. Hako means ‘box’ in Japanese. And I started using Hako as a nickname everywhere and my university friends started calling me Hako as well. But one of them just out of nowhere said ‘HakuPiku’ because Piku was Pikachu from anime, so he just combined the two into something [new]…

And then when I was looking for a nickname, I was like: “I don’t want to use Hako because I’ve used that everywhere and I want something fresh.” I was like: “Why not use HakuPiku?” Because it was so easy to remember.

On how he got into hacking…

I was studying computer science at KTH [Royal Institute of Technology] in Sweden. I had several friends there who were into security hacking, and one of them specifically was doing a lot of CTFs [capture-the-flag competitions]. And after a session of drinking together, we went to his place, he started doing a CTF. I joined him and I realised it was fun. And that’s how I got more into CTFing and from that thereon, I got more into Bug Bounty and so on.

On whether CTF competitions are useful training for Bug Bounty…

I think it depends on what level of CTFs we’re talking about.

With top-level CTF teams, you’ll see quite unique methods, quite unique tools that you can definitely use in Bug Bounty.

You get a lot of challenges that are like… whoever wrote the challenge found a zero day and made a challenge out of that, and you have to find that same zero day. That teaches you a lot [about how] to read code, and the better you are at reading and writing code in my opinion, the easier it is to hack as well.

On whether coding experience make you a better hunter…

I’ve worked as a developer before and currently I’m working as a cybersecurity consultant, so I do hacking as a job as well on top of Bug Bounty. It definitely helps to have coded because I think my first big bug on YesWeHack was on an open-source project. I just read through the code, found a bug and reported it.

The closer you get to the code I feel like the easier it is, the more you can find, the more you familiarise yourself with it, so that’s why I like being close to the code. And if you like that, that comes from being a developer or working with the code.

Comparing Bug Bounty to pentesting…

Most of what I do is web pentests, so it’s quite similar to Bug Bounty. But the one difference is why I like Bug Bounty more: you have however [long] you want to spend on a target, to spend on a bug.

Let’s say I want to find some XSS through DOM clobbering or something like that. That is going to take hours of looking through the JavaScript to find some gadget here and there. I can’t do that at a pentest job, because it’s 48 hours of pentest. I have a list of stuff to go through to find the most important stuff.

And I think that’s why Bug Bounty makes you get better as well, because oftentimes, if you’re hunting on a big target that hundreds of hunters have been through already, you need to find something really hard to find.

On his preferred hunting targets…

I’ll go for a lot of projects that have some sort of open-source code in scope. Also, I spend a bit more time on Android applications, reversing them and looking through the code.

Most people just look at basically API endpoints – that’s making API calls from their mobile app – and since everyone does that it’s hard to find bugs of that kind. But I try to look more at native app bugs basically, like Android app bugs, try to learn from others and look at those.

On his most critical bug discovery so far…

Most critical was recently. I was testing some random application on a random scope on a random program.

And I saw some weird error message when I sent something. I was like: “hmm what could this be”. When I googled the error message, I got to a super popular open-source web framework. It was an error from that, and I started looking through what could go wrong when this happens. Then looking through the code, I found something interesting, and I just modified it and sent it in the URL of the website I was testing – and I got local file inclusion, which was super critical.

And then I was like, “let me try and scan the web for this”, and I found that same vulnerability on at least three [programs] – one bank and two top companies – and they paid quite a bit for those. It was a zero day I found on something accidentally.

On the profession (not IT-related) bug hunting most similar to…

I like looking for bugs because it feels like you have these clues, and you are trying to piece together these clues to solve a mystery. And I love mystery novels: it makes me feel like a detective, so I love that rush I get from it.

Interested in emulating HakuPiku? Learn more about hunting through YesWeHack, sharpen your hacking skills on Dojo, or learn about the latest hacking tools and techniques on our blog.