Show and Tell Mastery

If you’re not privy to Live Hacking Events, then you need to immerse yourself. They are on the bucket list of any bug hunter seeking fame, glory, and lifelong connections. We talk about them often on the podcast. However, there are some parts of the event that aren’t always made public.

The 'show and tell' segments at live hacking events, for instance, offer a front seat debrief of some of the more exotic bugs reported during the event.

And few hunters deliver them with as much panache as Inti De Ceukelaire!

Inti emphasizes that a great 'show and tell' isn't just about unveiling the biggest vulnerabilities or the most complex hacks. "In a show and tell, it's more about the story than the bug," he reflects. Inti admits that not all vulnerabilities he showcases are groundbreaking. Some are simpler, more straightforward, yet they hold lessons that resonate with the audience.

Illustrating this point, he shares a rather intriguing achievement of his own. "I think I have the record of having the lowest-rated bug with the highest bonus on HackerOne," he says with a hint of pride. This accomplishment is not about the severity of the bug but the unique approach he took.

The showmanship and giving the bug a story is something uniquely Inti.

Inti’s Three Bugs

CSS Injection Bug in a Document Signing Service 💉

Inti De Ceukelaire discovered a CSS injection vulnerability in a document signing service, the specifics of which were not disclosed in the discussion. This service held legal importance, allowing users to sign documents digitally.

Using this vulnerability, Inti designed an innovative exploit. He overlaid an image across the entire page of the document. However, the twist was in the image's delivery. By setting up an externally hosted image, he could analyze the user agent requesting the image. When regular users viewed the document, they saw a standard contract due to their browser's user agent. However, when the document signing service's PDF parser, which had a distinct user agent, processed the document, Inti's server served a completely different document while maintaining the user's signature.

In essence, this exploit allowed Inti to have users unknowingly sign any content he desired. The potential for misuse was enormous, as the signed documents held legal weight, and malicious actors could later claim users had agreed to different terms than they believed they were signing.