At just 17 years old, Miguel Angel Jimeno has already managed to teach a thing or two to IT giants like Google, eBay or Tumblr. This young Spaniard from Santo Domingo de La Calzada (La Rioja) has, for more than a year and a half, been sniffing out security flaws in the websites and applications of these companies. And he’s not doing badly. His work has been praised by renowned IT security experts including Chema Alonso.
Miguel Angel took his first steps in the world of IT security through the page Underc[0]de, a forum for which he moderated the ‘Hacking Show Off’ section. By last January, he had opened his own blog, Researching for Fun. Through this blog Miguel Angel was able to reveal the XSS flaws he discovered in the websites of Internet giants.
“I detect all types of security holes, not just XSS,” he explains. So why does he only publish these? According to Miguel Angel, “XSS flaws are much more common and it’s not so ‘dangerous’ ‘for the company that they are made public”.
With respect to security holes that are dangerous, Miguel Angel has uncovered SQLi vulnerabilities that could allow content to be compromised and databases to be attacked. He has also discovered holes that allow code to be executed remotely (RCE attacks) on some of these Web servers. But what is so serious about detecting XSS vulnerabilities on eBay or Google? In fact, what on Earth are they?
XSS holes
XSS (‘cross-site scripting’) holes allow malicious code to be injected on Web pages, applications or browsers and then executed. It could be a simple link or something more complex embedded with HTML <script> or <iframe> tags (the same as those used to include YouTube videos). To give you an idea, XSS flaws are so simple that they are usually overlooked by the developer of a page or application.
Nobody likes having such simple flaws discovered. Miguel Angel is well aware of this. “I’ve never set out to embarrass anyone or any company,” he says. “At worst I just want to publish these holes so they are obliged to correct them,” an ‘ethical hacking’ principle to which he tries to adhere “as much as possible”.
What inspired him to become a bug hunter was the “the excitement of having the mental challenge of getting past the security filters created by programmers[…] The thrill of showing myself and the rest of the world that nothing is 100% secure”.
One of Miguel Angel’s most surprising discoveries was the security hole he found in the Google Play Store. A feat that earned him the congratulations of Chema Alonso, a leading light in the world of IT security. The 17 year-old told us how Alonso asked him for permission to talk about the discovery in his blog, ‘Un informático en el lado del mal‘.
It seems quite incredible that the products of these multinational technology firms can have such simple security flaws, although it’s not always a great surprise for Miguel Angel: “eBay, in my opinion, is badly designed from the start, and Tuenti is not far off. A friend of mine really showed it up by finding more than ten security holes on the social network”.
One last question. Are these companies ‘grateful’ when someone uncovers their embarrassing mistakes? “Those that don’t have a ‘bug bounty’ program don’t show their gratitude,” says Miguel Angel, who explains that they have even threatened to press charges, given that “looking for security holes without the consent of these companies is illegal”.
Miguel Angel hopes one day to become a professional programmer or ‘pentester’. He’s keen to enter a sector in which, as he himself has shown, even the slightest mistake can be crucial. As is so often said, any system is only as strong as the weakest link, and that weakest link is always human.