Today we present an interview with one of our most active community members – Mat Rollings.
He’s an experienced developer turned application security ‘expert.’ He loves reviewing code and breaking things, making bug bounty hunting his dream job.
In April, he was our top WordPress security researcher and earned a $1553 bounty reward.
Why did you end up in security? Was this your plan all along or was it an accident?
Like many, my early career advice was exceedingly poor; I was discouraged from pursuing computers and, according to some software, I was destined to become a fence erector or a TV aerial installation engineer. So I’ve never had a clear direction of what I wanted to be. This led me to stumble into various career paths happily. Despite this, my interest in security and hacking has remained a steadfast hobby, fueled by my love for the film Hackers and the game Uplink, oddly enough leaving me with a passion for roller skating and hacking.
So I’ve been a software developer for over a decade proficient in a variety of programming languages and frameworks but with a special love for Android apps. I’ve self-published a semi-popular Android network security toolkit, PortDroid, and co-authored RootBeer, a widely used root detection library present in approximately 1.5% of all Android apps.
But I’d never really considered that you could do hacking as a profession until I saw a local university offering a cyber security course. I enrolled in the master’s program, where I found the training outdated and lacking. This led me to seek practical learning through online platforms and to engage in and develop CTF competitions. After completing my degree, I transitioned from software development to becoming an application security “expert,” eventually managing the AppSec team at one of the online training platforms.
After several years in the AppSec field, I decided to step back and focus on what I enjoy most: teaching and bug hunting. This shift allowed me to align my career more closely with my passions, continuing to challenge and fulfill me every day.
What tips would you give a person interested in ethical hacking?
Learn REGEX. I used to hate it and put off learning it for so long, but now I love it and can’t work without it. I’ve found mastering REGEX can work as a vulnerability multiplier, each time I find a vulnerability I look for similar code elsewhere and this almost uncovers more results.
How do you find vulnerabilities? Do you have some proven practices? Do you hunt for a specific type of vulnerability or not?
I have a software development and application security background and would like to try and use this to my advantage. Rather than looking for vulnerabilities directly, I imagine vulnerable code snippets that I think developers may have written and then go to work hunting for that code. This allows me to come up with a large list of targets that I can then work through systematically testing to see if they are vulnerable in practice.
What makes Patchstack’s bounty program different from the rest?
Patchstack’s gamification adds a competitive edge that drives me to find more vulnerabilities, though it can be a bit intense sometimes. Its community is also more vibrant compared to other programs, featuring a diverse group of members like plugin developers in their Discord channel rather than only bug hunters.
Is there a vulnerability you found that you are most proud of? How did you find it and why do you consider it so special?
It has to be the Unauthenticated RCE I found in the antimalware plugin GotMLS. This took over my life for several days. I knew that the code was likely vulnerable but I had to chain so many things together to get full remote code execution. The way the final exploit works is by modifying the plugin’s own source code to leave behind an exploitable fragment, that was a lot of fun to write!
If you had unlimited power and could change one thing in WordPress’ security – what would it be and why?
This is a double-edged sword, in terms of bug bounty it’s great as it is. Never change.
From a security perspective, I’ve always found the way WordPress uses (and re-uses) “nonces” baffling. Many plugin and theme developers use these nonces as a form of authentication, something they were never intended to be used for, and as a result a nonce leak can result in serious vulnerabilities.
How have your hacker skills and mindset come in handy elsewhere?
I once managed to lock myself out of my house, leaving both my keys and phone inside. So, I sat down and started thinking of ways to hack myself back inside my house. After hitting a few dead ends at first, I had an interesting idea. I climbed two stories up the back of my house to get close to a bedroom window. From there, I shouted through an air vent to a smart home device to call my wife. Although I couldn’t make out her side of the conversation, I heard the phone ring and then stop. I then shouted my situation through the vent. A few minutes later, she arrived with keys in hand to rescue this adventurous fool.
This story sums up bug hunting to me; always keep asking, “What happens if I do this unexpected thing?”
You can connect with Mat on: