France’s coolest hacking conference was a resounding success for two of our clients after our recent Live Bug Bounty at LeHACK saw huge participation and dozens of significant vulnerabilities.
The French Red Cross and retail distribution giant Les Mousquetaires Group were delighted with the 69 security bugs uncovered during the 21-hour live event in Paris on 30 June and July 1.
Elsewhere at LeHACK’s ‘Kernel Panic’ edition, our Tech Ambassador, BitK, showcased a new prototype pollution tool alongside fellow Hexpresso CTF hacker SakiiR. BitK was also the architect of a hacking challenge that ran throughout the event and netted prizes for the top three performers.
YesWeHack’s aesthetically appealing booth, meanwhile, was continuously busy with hackers and cybersecurity professionals seeking swag and information about our Bug Bounty, VDP and pentest management services, as well as our training platform DOJO.
LIVE BUG BOUNTY
Our Live Bug Bounty attracted a huge number of YesWeHack-registered hunters and ran between 10am on day two and 7am the following morning. The rewards grid went up to €2,000.
These hunters made the final podium:
🥇 ZaX
🥈 AMakki1337
🥉 W0rty
Serial winner ‘ZaX’, from the BZHunt team, triumphed with 158 points. ‘AMakki1337’, who led the field for a time, finished second on 91 points, ahead of third-placed ‘W0rty’ on 72.
ZaX – who also won Decathlon’s Bug Bounty event last year – amassed six reports and four rewards; AMakki1337 garnered 23 reports and five rewards; and W0rty got three reports and three rewards. Check out the final leaderboard here.
The first bug was surfaced within 50 minutes and the most frequent flaws were IDOR and improper access control issues.
As usual with Live Bug Bounty, hunters collaborated to great effect and clients’ security teams benefited from liaising in person with the hackers and YesWeHack’s triage team. For instance, fruitful discussions over certain Red Cross scopes helped hunters understand expected behaviours and the potential impacts of certain findings.
The fact that both Red Cross and Mousquetaires teams comprised development, security and operations experts meant hunters could get satisfactory answers to a wide range of questions. Five on-site Red Cross engineers with direct access to the codebase and CI/CD impressed the hunters by fixing vulnerabilities rapidly and asking hunters for double verifications.
YesWeHack funds Red Cross bounties
The event was the fourth Live Bug Bounty YesWeHack has held on behalf of the Red Cross. Ever since the first event in 2019, YesWeHack has exclusively funded the Bug Bounty rewards to secure the digital assets of the world’s oldest humanitarian aid organisation. Les Mousquetaires (‘The Musketeers’), meanwhile, is a French distributor and symbol group that operates internationally. Hunters were invited to probe an IT management system used by the group’s 3,900 stores, seven brands (Intermarché, Netto, Bricomarché, Bricorama, Brico cash, Roady, Rapid Pare-Brise), logistics hubs and support services.
ZaX said:
“There were so many awesome things about this live hacking event! First, it’s great to see more and more hackers team up and we love seeing the community evolve year after year. There’s a significant increase in fast-improving young and new hackers joining the YesWeHack community.
“LeHACK has a great legacy and is still THE French hacking event. What’s better than getting great scopes and finding crazy vulnerabilities?
“What we love most is that these live hacking events are always full of surprises: there’s always an unexpected bug at 3am where everyone is going nuts because it will chain perfectly with all the other vulnerabilities! And that’s what we did: it’s just so cool to find the key that leads where no one went before. After all, isn’t that the spirit of hacking? Pushing the boundaries with creativity, sharing and an overall joyful ambience?
Last but not least, in a world where Bug Bounty becomes more and more popular, the attention and care provided by the platforms towards the hunter makes quite a difference – and I’m proud to say that we’re never disappointed with YesWeHack.”
‘Immediate return on investment’
Fabrice Bru, CISO, Les Mousquetaires Group, said:
“Bringing together over 100 people looking for vulnerabilities on as many of our sites as possible means we can capitalise on the maximum amount of information in the minimum amount of time – and have an immediate return on investment. For the time being, we’re actually achieving our objectives, since we’ve started to identify some very interesting cases.”
Mondher Saadaoui, Digital Lab Technical Lead, Les Mousquetaires Group, said:
“It’s going to help me in my next developments, to anticipate corner cases that hunters are raising today, and implementing security by design, so to speak.”
Cédric Gageat, Volunteer Developer Team Lead, French Red Cross, said:
“We submitted two applications, Minutis and RedCall, to YesWeHack’s community of hunters. These applications are used on a daily basis, and will be used for major upcoming events, such as the Rugby World Cup and next year’s Olympic Games.
“It’s always a pleasure to take part in this type of event. We learn a lot from confronting YesWeHack’s high-quality community of hunters. So once again, thank you to them for inviting us!”
Prototype pollution tool
BitK and SakiiR’s presentation on prototype pollution explored a relatively novel, technically fascinating vulnerability class. These JavaScript flaws enable attackers to take control of the default values of objects properties and – in the worst-case scenario – achieve remote code execution on vulnerable applications.
BitK and SakiiR outlined various JavaScript prototypes and prototype pollution attacks before showcasing PP Finder, which simplifies the task of finding prototype pollution gadgets and identifying vulnerabilities in JavaScript codebases.
BitK says the tool is “now way easier to run” following modifications made since its launch in February 2023. “Instead of compiling ahead of time the project you want to audit with pp-finder, you can now use pp-finder as an experimental loader, to instrument the code at runtime, leaving the file on the system untouched,” he explains.
The BitK challenge: Defeat the Machine!
BitK’s hacking challenge invited attendees to submit code to run on his server in a bid to read /flag.txt. “But before running the code, I asked ChatGPT if the code was malicious – if it would try to read the flag,” BitK explains. “If yes, then the code would be dropped. Participants’ score was based on the length of their payload.”
The overall winner, ‘FeelProud’, won a one-year license for Burp Suite, the renowned web security testing tool. Second place and a one-year license for hacking training platform Hack the Box went to ‘Podalirius’, while ‘Vozec’ claimed third place and a bumper swag pack.