Today we present an interview with Kévin Mosbahi(most of you probably know him by his nickname – Mika). He lives in France and has been passionate about computers since he was a teenager. Over time he specialized in security, which is his current day job. He’s a fast learner and he loves learning new things from different fields!
He’s also on the Patchstack Alliance all-time researcher podium with over 630 contributions.
Why did you end up in security? Was this your plan all along or was it an accident?
I ended up in the field of IT security because it was a logical continuation of my computer training. I started playing around with computers at the age of 10-11 and at first, I was scared because at the time I had a horrible technology teacher who made nasty remarks so at every computer session I purposely forgot my login details!
Then I gained confidence and at the age of 13, I started to create my own game server, which enabled me to learn SQL, Java, PHP, RDP, and how web servers work. I was able to earn around €500, which enabled me to buy a more powerful PC (4GB RAM).
After that, I always dabbled a bit in IT but never professionally, and then in 2018 I decided to start studying IT (I was originally studying health & sports), so I gradually progressed in areas such as networking, Linux, and Windows. Later I discovered the Root-Me site which allowed me to start getting a foothold in the world of FTC and then TryHackMe which is a great learning site.
So I don’t think it was a predefined goal to work in security, for me it was a logical progression given that I’m very curious and I like to know how things work.
What tips would you give a person interested in ethical hacking?
For me, it’s essential to have solid IT basics. I’ve known a lot of people who wanted to get into cybersecurity without having a basic understanding of IT, and I don’t think that’s going to work.
So my advice is to get a minimum level in networking, systems (Windows and Linux), and programming to be able to script (Python, Bash), and have a global vision of how the Internet works (DNS, IP, DHCP, etc.).
Once you’ve got this down, you can move on to learning sites, and I recommend sites like Root-me, and TryHackMe (especially this one, as I think it’s the best learning site).
I’d also advise you to put your ego aside, never rest on your laurels, and always be on the lookout for new things, as the field is constantly evolving.
How do you find vulnerabilities? Do you have some proven practices? Do you hunt for a specific type of vulnerability or not?
At the very beginning of my research adventure I was mostly black-boxing, taking plugins at random or by theme, but over time I moved towards white-boxing. My process is to analyze the source code of plugins, focusing on dangerous patterns/functions that I know, I analyze each plugin by hand and I also test it by hand, and I do very little automation.
I’m mainly looking for Broken Access Control & Privilege Escalation.
What makes Patchstack’s bounty program different from the rest?
The community makes Patchstack different from other traditional Bug Bounty sites, the fact that there are events by theme is really good too, and the VDP interface is great for managing your submissions. But above all, the responsiveness of the team, particularly when it comes to validating vulnerabilities, the process is very fast and very fluid.
I’d also add the fact that there’s a lot of sharing, especially of articles on the blog and shares on the Discord channel.
Is there a vulnerability you found that you are most proud of? How did you find it and why do you consider it so special?
Given that I’ve found a lot of vulnerabilities (almost 700 in total), I don’t have any that stand out (it’s hard to remember them all 😂), but my favorites are Unauthenticated vulnerabilities, especially RCE Unauthenticated and Privilege Escalation Unauthenticated.
If you had unlimited power and could change one thing in WordPress’ security – what would it be and why?
For my part, I find the WordPress core to be relatively secure, and for me, the problem lies in the way security is implemented by the devs.
I think we need to raise awareness among the actors in this field, and on the technical side, I think we might need to review the critical endpoints on the AJAX side, which can lead to quite a few vulnerabilities.
How have your hacker skills and mindset come in handy elsewhere?
I think the Hacker mindset is useful in almost every task in life, the most important thing is to put yourself in the shoes of the person in front of you and try to understand why things are done in a certain way, I’ve already adopted a Hacker mindset to make things in life easier.
You can connect with Mika on:
