17-years-old kid hacks US air force for the good

In April 2017, it was reported that the US Department of Defence (DoD) announced launching “Hack the Air Force” bug bounty program urging hackers and security researchers to hack the United Airforce and make some big bucks.

Now, it turned out that Jack Cable, a 17-years-old kid and a high school student made it to the top by hacking and identifying 30 critical vulnerabilities in the Air Force’s cyber infrastructure. As a result, he took a huge sum of cash with The Pentagon paying $130,000 in prizes and $1,000 and $5,000 for each vulnerability.

“Two participants in the program were active duty military personnel and 33 participants came from outside the U.S. Top participating hackers were under 20 years old, including a 17-year-old who submitted 30 valid reports and earned the largest bounty sum during the challenge window,” Air Force said in a statement.

In an interview with Marketplace, Cable said that he found an XML external entities vulnerability. “I found that I could give it a URL and the application would make a request to that website. And I was able to escalate that after working on it for a few hours into a remote code execution. So that would allow me to basically do whatever I wanted. So I could access all the user data that was on the website and I could change anything that I wanted to.”

Jobert Abma (left) and Jack Cable (right) / Image credit: Marketplace – HackerOne

[fullsquaread][/fullsquaread]

The bug bounty program was run by HackerOne platform from May 30 to June 23 and some 272 hackers from all over the United States, Australia, Canada, New Zealand and the United Kingdom participated. These five countries are part of the “The Five Eyes” (FVEY) intelligence alliance.

In 2016, US Department of Defense launched Hack the Army program urging hackers to hack the army for the good. Also, the same year, Hack the Pentagon initiative was also launched and as expected it also showed help the military to fix critical vulnerabilities in its cyber infrastructure.

A look at Cable’s HackerOne profile shows that two months ago, he also reported vulnerabilities in Zomato, a food and restaurant search engine. Remember, HackRead.com exclusively reported on Zomato data breach in May 2017 when a hacker going by the handle of “nclay” stole 17 million of their accounts and sold them on a now seized Hansa marketplace on the Dark Web.

Zomato then started its bug bounty program the same month.

Governments and private institutions are heavily relying on bug bounty programs due to increasing and sophisticated cyber attacks on critical cyber infrastructure. A recent example of it is the massive data breach against Home Box Office (HBO) Network in which hackers claimed to steal a trove of data and leaked a Game of Thrones episode and personal details of its actors.