Europe’s most successful ethical hackers and an iconic luxury fashion house proved an irresistible combination for our most glamorous Live Bug Bounty yet.
From the Paris headquarters of Louis Vuitton, around 40 high-ranking hunters deployed their eclectic skills to produce an impressive variety of findings at the second edition of YesWeHack’s ‘Hack Me I'm Famous’.
Louis Vuitton has declared itself delighted with the results – a reflection of the calibre of the hunters, the time (30 hours) and productive setting for hunting, and the target’s commitment to making its internet-facing applications as secure as possible.
The big reveal
YesWeHack keeps Live Bug Bounty targets under wraps until the last-possible moment. This prevents hunters performing pre-event reconnaissance on the targets to get a head start.
On day one, the hunters were kitted out in stylish, baseball-style jackets customised with their hacker alias, before being led to the mystery venue. En route, some excitedly speculated, aided by Google Maps, which nearby organisation might be welcoming them. A famous company? A government agency?
It was no anticlimax when Louis Vuitton’s impressive headquarters heaved into view.
Founded in 1854, Louis Vuitton’s clothing, bags, jewellery, perfume and other fashion items are instantly recognisable worldwide via its iconic LV monogram. The haute couture pioneer is part of LVMH group, the world’s largest luxury fashion multinational.
If the Live Bug Bounty target excels in its field, then so too do the hunters carefully handpicked for the occasion. Ten of YesWeHack’s all-time top 25 performers were enlisted, although hunters were chosen not just for their leaderboard ranking, but also for the relevance of their skillset to the scopes at hand.
Rapid vulnerability assessment
Louis Vuitton was a tantalising target – and not only because of the lustre of the brand itself.
Unusually in its industry (and most industries), Louis Vuitton develops most of its digital assets internally. Adding to the anticipation for the Live Bug Bounty was an API among the scopes that had not been part of the private Bug Bounty Program.
Partly thanks to some participants’ familiarity with the scopes via the private program, the reports started rolling in relatively early. Vulnerabilities were surfaced throughout, with the final report submitted in the last few seconds of the competition.
Just 30 minutes later the Louis Vuitton team had, with YesWeHack’s support, reproduced and assessed all vulnerabilities.
Taking security seriously
The hackers seemed particularly laser-focused as they hacked for 30 hours with infrequent breaks for food, socialising and sleep.
And yet, they were still happy to take time out to patiently explain their findings to Louis Vuitton security teams during their event. There were also ‘show and tell’ presentations of the most significant vulnerabilities at the end.
“What makes this type of event unique is the intense interaction and collaboration that we saw between the researchers and Louis Vuitton security teams,” said Adrien Jeanneau, head of security analysts and researcher enablement. “We saw some great exchanges between them, and everyone appreciated it! The hunters and security teams delved deep into technical discussions about the findings, even though time was limited.”
Alongside the hacking event, staff from various departments attended demonstrations and interactive workshops about the Live Bug Bounty, phishing attacks and protecting the brand’s global internet assets, among other things.
This, and the attentive engagement throughout of Louis Vuitton’s CIO and CISO, revealed a corporate culture that takes security very seriously – organisation-wide.
Special achievements for a unique event
The top three spots of the final leaderboard were occupied by a Spanish trio who collaborated throughout the event and notched 26 bugs and 23 rewards apiece. Collectively the hunters reported 133 bugs in total.
YesWeHack and Louis Vuitton created special awards for notable achievements at the Live Bug Bounty, with the winners taking home YesWeHack souvenirs created for the event. Congratulations to the winners:
- 🧥 Shellcode Stylist (1st place): Diego Bernal Adelantado aka GoDiego
- 🧵 Exploit Tailor (2nd place): Diego Jurado Pallarés aka djurado
- 🎀 Pwnage Designer (3rd place): Carlos Rivero Molina aka hipotermia
- 🧶 Patchwork Pwners (team with highest points): GoDiego, djurado and hipotermia
- 💎 Best-Dressed Bug (biggest impact): HakuPiku
- 👜 Bug Trend-Setter (first valid bug): GoDiego
‘Forefront of cybersecurity’
Christophe Plouseau, Chief Information Officer (CIO) of Louis Vuitton, said:
“This is the very first time a luxury brand has organised such an event, so I am very proud of LV_NEO Teams [Louis Vuitton’s tech team]. We were already in the forefront of cybersecurity and this event is testament that we take cybersecurity and cyber threats seriously, especially in the context of the Paris Olympic Games coming soon, where French firms will be the main target of hackers.
“This was also a tremendous opportunity to have the crème de la crème of hackers with us, to share with all LV employees tips and tricks for what they should do in their personal and professional life to mitigate cyber risk, and share what Louis Vuitton does to protect the company’s assets and information systems.”
The hunters also offered their thoughts on the event:
Nagli: “The experience has been top-notch. I believe we found good bugs… the Louis Vuitton team are great. I would like to thank the YesWeHack team again for the great facilitation of the event, the rewards, the communication.”
Pwnii: “The office is extremely huge and beautiful so we were all looking [forward] to hunt in this place. I really enjoyed the event, honestly. I have the luck to hunt with a lot of friends.”
Drak3hft7: “This is my first experience with a live hacking event and it is an amazing event. It was possible to improve my knowledge. The place is very beautiful. Nice food, nice scope, very nice people. Fantastic hackers and friends.”
HakuPiku: “I knew that they had a quite huge scope. So it was a great feeling knowing there is going to be a lot to hack on, probably not as many duplicates. I’d like to thank YesWeHack for inviting me to this very exclusive event and I want to thank Louis Vuitton for hosting us here at their headquarters.”
And finally, from YesWeHack: a big thank you to all participating hunters, Louis Vuitton and all partners for making this event a such as huge success.