The world’s largest cosmetics and personal care company is the latest illustrious brand to enjoy the benefits of a live Bug Bounty with YesWeHack.
Websites, APIs and mobile apps belonging to L'Oréal are now significantly hardened thanks to the discovery of 71 vulnerabilities during an 18-hour event at the LeHack conference last week.
The live hacking event in Paris began at 10am on day two of LeHack (7 July) and concluded at 4am the following morning after some intensive triaging. The rewards grid went up to €5,000.
Bug Beauty contest
The scopes comprised a representative sample of L’Oréal’s most business-critical assets, including:
- E-commerce websites for various brands and markets, built on different core technologies
- Mobile applications used by customers
- Business-to-business applications
- Technologies highly specific to L’Oréal that process sensitive customer data
Impressed by the initial findings, L’Oréal’s security team extended the scope early in the evening to maximise the talent and unique opportunity available – a decision vindicated by the submission of some invaluable findings as the event drew to a close. Most notably, credentials were available for one added scope – an uncommon move for a live hacking event – which allowed hunters to dig deep into a new application and make some intriguing discoveries.
Podium
More than 50 YesWeHack-registered hunters kicked off the event and around 100 took part overall, with 31 making it onto the leaderboard.
‘DinDinDin’ led the leaderboard by a huge margin in his first-ever live hacking event (although he didn’t take the lead until the second half of the event). He notched 142 points via nine bug reports.
In second place, ‘Borgi’ accrued 49 points from six vulnerabilities, while third on the podium was ‘cosades’, who scored 45 points from three reports.
The final podium:
🥇 DinDinDin
🥈 Borgi
🥉 Cosades
It’s not about the money, money, money
However, the leaderboard is only one part of the story of live Bug Bounties, which are as much about (if not more so) collaboration and community.
“It was really nice to meet [fellow hunters] again and to discuss with some managers of programs I'm used to hunting on,” said ‘Aituglo’, one of the participants, in a review of LeHack on his website.
Aituglo said his own pre-event automation work and the support of his peers paid dividends for L’Oréal. A custom plugin helped him “get a hit for an XSS” within five minutes of starting his hunt, then “with the help of some friends, I got a nice PoC to steal the password of the user”.
Despite the generous bounties on offer, Aituglo said that making “a lot of money” was not the overriding incentive. It’s “more to discuss and see your friends, hunt together and so on”.
The overall winner, DinDinDin, said:
“Thank you for this wonderful event. It was a pleasant surprise and an honour to top the leaderboard. This motivates me to continue learning and improving.
“It was my first in-person event in cybersecurity, and it was really exciting. The other participants were all friendly and warm. The event was well structured, with responsive support. A very positive and enriching experience.”
The event was also “an enriching experience for another hunter, @dropn0w, who posted on X: “We learned many valuable lessons and measured our skills against the best hackers in France.”
Key benefits
Guillaume Kermarrec, threat and vulnerability manager at L'Oréal’s CyberDefence Center, and in charge of L'Oréal’s Bug Bounty Programs, said:
“The key benefits were meeting the security researchers, meeting the triage team, and working together to find and fix some complex vulnerabilities. We focused on our most critical websites, both global websites and from different regions, B2B and B2C, and some uncovered assets like APIs and mobile applications. Thanks to this live event we could test some new scopes with very specific configurations that couldn’t be added to our continuous program. We have found some interesting vulnerabilities at the live hacking event.”
Fabio Bührer, global application security manager at L'Oréal’s CyberDefence Center:
“The scopes have been tested in the past and now there’s a lot of good people here going through the scopes to see if there’s anything that needs to be taken care of. It’s good to meet the people who work on the program virtually and and see that they actually exist – they’re not just an avatar or AI! YesWeHack did a great job of organising this.”
From YesWeHack, a sincere and heartfelt thanks to all participants for helping to secure the digital assets of L'Oréal, the personal data of L'Oréal customers, and the global internet as a whole.
The L'Oréal event follows a recent Live Bug Bounty held for a similarly glamorous and legendary French brand: Louis Vuitton, which was more than satisfied with the outcome of YesWeHack’s second ‘Hack Me I'm Famous’ event. This in turn came hot on the heels of a late flurry of serious vulnerabilities in the scopes of Groupe Caisse des Dépôts (CDC), a French public financial institution, at InCyber Forum (FIC) Europe. The targets for LeHack 2023, meanwhile, were provided by the French Red Cross and retail distribution giant Les Mousquetaires Group and also yielded an impressive bug haul.
Bug Bounty booth
YesWeHack also welcomed a steady stream of ethical hackers, security researchers and other security professionals at our LeHack booth, in Cité des sciences et de l'industrie.
As well as discussing our Bug Bounty and Dojo CTF training platforms, we gave away countless t-shirts and other swag. Other sought-after merch was exclusively available to anyone who managed to take on our claw machine (pictured) and triumph.
Finally, many thanks to our tech ambassador, BitK, for the CTF he created exclusively for LeHack attendees (the ‘Pandemic CTF’).