Interview with Bukhanter Artyom Moscow. He hacked Steam and received the largest award in the history of Valve
Artem Moskovsky is a baghunter, a pentester and a safety officer who immediately wants to ask the shameful question "how much do you earn?" .
We corresponded for several days, and Artem told how he started doing his own business, what skills are needed for this, and whether he draws with such talent on the dark side.
In 2006, when I was 9 years old, I had my first PC, and I unknowingly decided that I would turn in IT. Up to grade 10 was focused on programming. After, when the first successes in infosek appeared, I decided that security was more interesting.
It began with a banal: it was necessary to make a site for the clan in the game Jedi Academy. Then the choice fell on the good old uCoz, but the idea of “making websites cool” remained. I looked at the courses "specialist" in PHP. At the same time, he was hanging out on anti-chat and other thematic forums, reading articles about typical vulnerabilities. It was just interesting.
The years went by, and I was still looking for myself and this led me to an advertisement. Then I used one large advertising network for traffic arbitration. Well, how to use it - sadly updated the statistics and discouraged from the lack of leads. As I remember, the look caught on the date parameters in the request for statistics. A few graceful movements with the fingers of the hands, and a modal window appears in the browser window - it was XSS. I wrote in support, and an hour later my balance on the site showed already $ 300. Then in the 10th grade, having earned the first “serious” money, I thought - yes, this is my topic. With this charge of motivation, I did ten times as much over the next month, helping the ad network sites become safer.
Now I live in Odessa, I study at the Odessa Polytechnic, specialty "Computer Science". But my activities on the Internet to the university is not worth tying. He did not particularly affect it. For almost three years I have been working as full-time pentester. But for a good life, bughunting would be enough.
- You then did not blow the roof of his cool? Like fuck study, work - I will do this here.
- It did not break, but a certain shift occurred. Felt independent of the system.
- Why did you go to study and work? This is a system, and not very effective.
- It's one thing to be part of the system, and another thing to depend on it. Univer and work is a simple way to find like-minded people and friends.
I work full time four days a week. I am looking for vulnerability only when I am in a mood, so it turns out quite unstable. But if you count for a year, then it comes out on bugs to earn many times more.
- Do you fall asleep with offers after your stories?
Yes, offers come. The latter was in a good international company in the position of Application Security Expert.
In 2018, Artem found vulnerabilities in Steam. He promoted SQL injection in the database on the page for partners and found the opportunity to download the keys for any game.
Details about the process he wrote here .
“A file was generated with 36,000 keys for the game Portal 2. Wow.
Only one set turned out that number of keys. And the total sets at the moment more than 430,000. Thus, going through the keyid values, a potential attacker could download all the keys ever generated by the Steam game developers. ”
“ After 5 hours, the vulnerability was fixed, but the status was set to triaged (accepted) after 8 hours and, damn it, for me it was very difficult 3 hours for which my brain managed to survive the stages from denial to acceptance.
Since the vulnerability was not designated as accepted, I thought that the turn to my report had not yet reached. But the bug was fixed, which means it could have been reported before me.
Now, if you count all the money for vulnerabilities from Valve, you get 55 thousand. I think to invest in something, but have not yet decided.
“How is your occupation properly called?”
Baghunting. There are problems when you try to explain to people not from IT what you do. The word "hacker" is closest to them. I am not comfortable to say that, because, in my mind, schoolchildren have vulgarized this word, who threatened to hack your VC or calculate it by ip. Therefore, my usual answer “Well, like a hacker” is accompanied by an awkward look at the floor.
- What kind of skill is needed for this?
Understanding how things work. The result of the previous will be understanding what vulnerabilities may be in their implementations. I like the bughunting of having to deal with different technologies. This is very cool spreading your horizons in breadth. After a while, experience and intuition appear, and you are already in your head modeling the threats to the application under investigation.
I almost always use Python, because it is light and beautiful. But if you need some kind of output on the web, then I resort to PHP. Now for example I am automating some tasks for intelligence. The web interface runs locally on PHP — outputting and managing tasks, and the tasks themselves are sent to Python, the “agents” that are hosted on a couple of VDSs.
Sometimes, when I write something in a hurry and not security, then I can allow myself to unscrew the injections in this “product”, but this is no more than self-indulgence.
- Do you choose a goal for a long time?
I love to look for vulnerabilities in what I use myself. There is a feeling of a challenge, a motivation appears. Sometimes you even know that they will not pay you for it, they may not even answer, but it's just interesting.
If you choose a public program on X1, which has been paying for bugs for several years, then you should not hope for XSS in the search field. Either go deeper where the majority does not reach, or think up a vector that the majority did not think of.
Prior to the story of Valve, Artem described how he found a vulnerability in one of the pools for joint mining of cryptocurrencies - just at the time when everyone clinked on the blockchains and Bitcoin growth.
He found a way to bypass the two-factor identification and seize any account in the application. For the report, Artem was given one bitcoin - at that time $ 18,000. It’s probably more painful to think about how much it costs Artem now than most of us.
Updated: there was a paragraph with a story about a large and expensive company. It had to be removed, because not all large and expensive companies are grateful when they point out vulnerabilities.
- Is it hard to fail?
I would not call it failures. Failure is when you set a goal for yourself: I’ll go to Uber and find RCE, they will pay stomiliens. In my opinion, the right goal is to understand the infrastructure of a company, understand the functionality of a web application, how its parts interact with each other, check different cases. This is a doable task that is in your area of influence. The presence of vulnerability is already outside this zone, therefore, to set such a goal is, first of all, to mock yourself.
If I feel that I have no idea where to go from here, then usually I give myself a few days to get distracted and relax. And then either come back with new ideas, or move on to another goal. By the way, it is worth looking for bugs only when there is a mood, forcing yourself is not effective. As well as in everything else.
- What do you think are more effective, technical ways or social?
Looking for what. Baghanters are not paid for social services, maybe even punished. In real attacks, apply both.
- Should a good beaver have a hacker experience?
Well, if the hacker experience is not 2 years conditional, but the ability to spin injections and find XSS, then yes. Good, I think, should.
- Your work is such a thing, where either it turned out or not. Or it can be done qualitatively and poorly?
- If you mean pentest, then yes, you can do it qualitatively, but you can not. The criteria depend on the situation: from the presentation of the report and the completeness of the recommendations, to the number of vulnerabilities and their severity.
- Do you perceive safeguards as enemies or as colleagues?
- As colleagues. I myself consider myself safe.
- Do you feel superiority over ordinary developers?
Developers are different. I definitely feel superior to those who concatenate user input with a SQL query. And if you take the whole sphere, it is difficult to say, because I am somehow the actor in both.
From time to time I get thoughts about creating and developing my own interesting services and tools in the field of information security. Therefore, I often find myself in the process of “creation”. So far everything is for myself, but maybe the world will see my creations.
What would I do if the world got in a fantastic way and security was no longer necessary? I would choose between working in Uber and Yandex.
But seriously, my skills would be enough to work as an average programmer. In general, I do not see the difficulty of finding a job in IT, if you already have a certain horizon, you simply deepen your knowledge of what is most interesting.
- If you were now compiling a training program for a hacker / baghunter, what subjects would there be?
Programming. English is all valid information in English. Literature - reading reports from X1. Anonymity. Physical culture - in case of patena if bad with anonymity. The right - if it is bad with physical culture.
- I saw, in the comments you were asked why you are not going to the dark side. If you do not laugh it off, then why not?
Peaceful sleep and inner harmony is more important than any money.
“If you did, would you be a good criminal?”
Yes, I would take it from the rich and give it to the poor. If I ever get caught in the hot, then most likely I simply unsuccessfully and not anonymously blamed the company's bug, which has no official bug-out and it reacts badly to outside help. Well, if I am a good criminal, you will not know about it.