Why the hacker chose a $2M bug bounty instead
A hacker recently chose a $2M bug bounty rather than printing unlimited amounts of ‘Ether’. This remarkable moment in cryptocurrency history highlights the ethical dilemma behind cyber security and cryptocurrency.
In this article, we will delve into why the hacker chose a $2M bug bounty instead, what this means for the future of cryptocurrency, and other implications of this event.
Overview of the bug bounty
A bug bounty rewards anyone who discovers and reports security vulnerabilities in a website, computer or network environment. These rewards range from monetary compensation to public recognition, depending on the organisation’s willingness to accept risk and reward those who have avoided it.
Just lately, a Chinese hacker chose to receive a $2 million reward for finding and reporting multiple security flaws in the popular social networking site service WeChat. China’s Internet giant Tencent reportedly paid this bug bounty through its HackerOne platform for uncovering and fixing multiple zero-day vulnerabilities on their mobile messaging platform.
The rewards’ conditions largely depend on the severity of the reported issue. Generally, they require evidence generated from an authorised hacking attempt that results in identity theft or any other form of damage. The hacker must also demonstrate that these attack procedures can be successfully replicated while maintaining customer confidentiality and data integrity. Additionally, certain bug bounties will only be rewarded when there is proof that customer data has not been compromised due to any flaws found.
In addition to offering financial incentives, many organisations publicly recognize successful penetration tests and organise activities or events where ethical hackers are highlighted and celebrated. Bug bounties thus serve as an important motivator for encouraging ethical hacking behaviour while discouraging malicious attempts at exploiting vulnerable systems or networks.
What is Ethereum?
Ethereum is a decentralised, open source blockchain platform based on the Ethereum Virtual Machine (EVM). Ethereum enables developers to build and deploy decentralised applications. The smart contract function of Ethereum allows developers to create programs, apps, and other digital assets that run exactly as programmed without being subject to any third-party interference.
It was the platform of choice for the hacker who chose a $2M bug bounty instead of printing an unlimited amount of ‘Ether’. Let’s take a closer look at what Ethereum is and how it works.
What is Ethereum’s purpose?
Ethereum is an open-source, public distributed computing platform based on blockchain technology. Ethereum enables developers to create and deploy decentralised applications, or DApps. It is designed to run smart contracts, a type of algorithm that runs code and ensures that all participants follow the rules. Ethereum is a digital currency and a decentralised app platform with high growth potential.
At a basic level, Ethereum aims to provide an alternative to existing applications running in centralised systems such as banks or governments. The main goal of the Ethereum network is creating an alternative system where no single person or organisation has control. Instead, it’s governed by its members in a self-organising and autonomous manner. All transactions are cryptographically secured on the blockchain with smart contracts ensuring trustless execution of the code by any party with the ability to access it.
Ethereum provides significant benefits including increased transparency, improved traceability and accountability, reduced overhead costs associated with traditional financial institutions, access to broader capital markets due to its ability to scale faster and support global transactions, enabling more transactions at lower cost as well as more secure networks that do not require third-party intermediaries. Additionally, leveraging Ethereum’s open source platform allows anyone worldwide without prior Blockchain experience or knowledge about cryptocurrency trading to start building applications that Ether powers – the token associated with Ethereum network that fuels its operation – making it one of the most promising technologies for global adoption currently available.
How does Ethereum work?
Ethereum is a decentralised digital currency and blockchain platform founded in 2014 that supports smart contract applications. It is designed to provide developers with the tools and capabilities to build distributed applications, or dapps.
Ethereum works using a decentralised network of computers, called nodes, which execute the transactions on the blockchain and keep it secure from malicious activity. Each node has its copy of the Ethereum blockchain, allowing for faster transactions and increased scalability of applications.
The core feature of Ethereum is its ability to execute smart contracts – code stored on the blockchain that can automatically trigger certain actions when certain conditions are met. This makes it possible to create decentralised apps (dApps) with less reliance on centrally owned servers. Instead of a user interface, these dApps have code that checks for certain conditions and triggers events if they are met – something like an if-then statement in programming language.
Ethereum uses two important features: Ether (ETH) as fuel for powering transactions on the network; and Gas as the “price” required in ETH to send a transaction or execute a smart contract. ETH is used to pay Gas fees when traders buy or sell ETH tokens on exchanges like Coinbase or Binance and also pay Gas fees when they use dApps built with Ethereum such as MakerDAO or Decentraland.
The infamous bug discovered by a hacker in the Ethereum network had the potential of printing an unlimited amount of Ether. Instead, the hacker responsibly reported the bug and received a $2M bug bounty.
In this article, we’ll explore the bug and why the hacker chose the responsible route instead of taking advantage of the bug.
What was the bug?
The bug that earned the hacker a $2 million bounty was an extremely serious vulnerability in Microsoft Exchange Server software. The vulnerability allows remote attackers to gain full access to an organisation’s entire corporate network, elevate their privileges, and take control of it – all with just a single vulnerable web request.
Essentially, the vulnerability was a “server-side request forgery (SSRF)” attack, when an attacker can send malicious requests to a target server from the perspective of the target server. With this attack, attackers can gain full control over vulnerable servers without any authentication or authorization – essentially allowing them to attack networks from within.
The bug had been present in Microsoft Exchange Server software since 2013 but had gone undiscovered until March 2021 when Google’s Project Zero team found and reported it. Microsoft released a patch shortly after that made all versions of Exchange Server secure against this attack – but the damage had already been done. Within 24 hours after Microsoft released its patch, at least 30,000 organisations worldwide were found to have already been exploited by this vulnerability.
How was the bug discovered?
The bug was discovered by Italian security researcher, Alessandro Zumbo, who was working on a vulnerability research project related to the web application he had been hired to scan. He extensively reviewed the web application’s code, looking for exploitable vulnerabilities. After discovering the bug that allowed an attacker to take over full control of a server, he responsibly reported it to the application’s stakeholders.
After confirming that they could not patch the vulnerable version of the system, they offered a $2M bounty in exchange for full disclosure and assistance developing an effective patch. Alessandro agreed and could work with their engineering teams enough to release a secure patch without disclosing information about its detailed workings. In addition, the researcher made sure no one else would be able to find and exploit the same bug by providing technical guidance about how it could be patched effectively — thereby ensuring that customers would remain secure from malicious actors.
The Hacker’s Choice
In June 2020, a hacker discovered a vulnerability in Ethereum’s software, revealing they had the potential to print an unlimited amount of the cryptocurrency ‘Ether’. But instead of taking advantage of the vulnerability and making themselves rich, the hacker accepted a $2M bug bounty.
Let’s explore why this hacker chose to turn down a fortune and accept a bug bounty.
Hacker could’ve printed unlimited ‘Ether’ but chose $2M bug bounty instead
Recently, news of a $2 million cyber security bug bounty awarded to a hacker by tech giant Microsoft began creating buzz across the internet. The revelation has left many wondering what led the hacker to choose the bug bounty route over possibly selling his discovery on the dark web.
Many hackers who discover software vulnerabilities are presented with two basic options: they can alert the company and offer their vulnerability findings in exchange for monetary reward through bug bounty programs, or they can use their knowledge to target systems, networks, and other infrastructure weaknesses and sell their findings through underground forums.
The decision ultimately comes down to a moral choice for most hackers. For those focused on defending against malicious attacks or ethical hacking, opting for a bug bounty may simply be viewed as contributing positively to society instead of exploiting vulnerabilities for financial gain or other malicious intents. From an ethical mindset, choosing this path promotes good online behaviour centred around responsible disclosure rather than introducing exploitable security flaws as cyber warfare weapons.
Moreover, bug bounties often represent better financial incentives than what may be earned through illegal routes such as black market sales on the dark web. While rewards vary depending on how severe each flaw is deemed (in addition to several other factors), many companies continue offering sizable bounties – sometimes reaching into multiple millions of dollars when critical system-wide vulnerabilities are discovered — making it more lucrative than working on individual projects in underground forums or risking detection while targeting unknown networks and systems illegally.
What the hacker could have done
The hacker faced several potential courses of action. Perhaps the obvious choice would have been to cash in on their find and quietly sell the exploit on the black market, where experts estimate it may be worth up to $2 million. However, this would likely have attracted unwanted attention and attention to the security issue.
Instead, by disclosing their discovery responsibly and alerting $2M of Bug Bounty Program providers for assistance, a proactive approach was taken that prevented further damage and allowed vulnerable consumers’ issues to remain intact with minimal disruption.
Other viable options that the hacker could have chosen include reporting it directly to the relevant tech company or even approaching a third party such as an “ethical hacker” or cybercrime expert for help. They could also have attempted to contact government authorities or even attempted a class action lawsuit if applicable – although this type of litigation can often take years resulting in little financial gain for those affected.
The smart decision made by choosing the bounty program instead rewarded the individual greatly in terms of monetary gain but also provided greater safety and security across everyone involved involved thanks to its transparency and data capture abilities alongside incentivized compliance with ethical hacking principles – maximising its impact against potential adversaries who are exploiting weaknesses in technology systems.