UPDATE: As of 2022, Patchstack Red Team is known as Patchstack Alliance
In this article, we will introduce our Red Team member m0ze. M0ze has been the top Red Team member in April with totaling 1214 points and a total of 61 vulnerabilities reported to the Patchstack database.
Patchstack Red Team is a community of independent security researchers who contribute to building a safer web.
Red Team members identify and report security vulnerabilities in WordPress plugins and themes to help software vendors address security issues before they pose risk to users and to the public.
What is your story about getting into cybersecurity?
It all started in early childhood when a number of interesting moments coincided: in early 1999, I first picked up the «Hacker» magazine (issues #2, #3, and #4.)
Of course, I did not understand anything there yet, but even then I realized that the future for this industry is huge and that if I study computers I will gain profit in the near future.
Then I had a chance to watch the process of installing the game «Dune 2000» on my first computer, and it was not so interesting for me to play it to find an answer to the question, where did the files from the CD disk go and how it all works in general.
As soon as my father left the computer, thinking that I would continue to play, I quit the game and began to get used to the system (then it was already Windows’98).
Then I was lucky to watch the film «Hackers» on cable TV, and become a frequent visitor to the popular Internet cafes/clubs, where you could not only surf the Internet but also participate in a LAN party (hello to all fans of Q2, Q3, UT’99 ).
My parents did not share my optimism and my new hobby, considering that it was a waste of time. They were wrong This is roughly how the interest in hacking and in the hacking scene arose. I think it would be appropriate to quote Robert Frost here:
«Two roads diverged in a wood and I – I took the one less traveled by, and that has made all the difference.»
How did you study cybersecurity?
I have learned everything on my own and have never felt the desire to receive a specialized “cybersecurity” education.
Of course, this step is important, good, and interesting, but, as practice shows, specialized education develops “correct” reactions to certain situations, often displacing creativity and freedom of thought, which for this area is more a minus than a plus (important to mention that some large companies have been practicing hiring hackers, not security specialists).
Also, so far there was no need to obtain specialized certificates, and getting them in order to be a “certified specialist” and write about it on my Twitter profile is already some kind of cost of our time and profession, I’m not interested in this. I don’t deny that in the future something may change in this matter, but so far this is how it is.
What kind of tools do you use? Which OS do you prefer?
I will not highlight anything especially – the set is the most common for a hacker/appsec researcher/cybersecurity specialist, except that due to the specifics of the activity, I have recently most often used Burp Suite and my own scripts and payloads.
Plus, now I use CherryTree to structure my work data – quite good, but I’m sure there is something better.
Why have decided to use the nickname m0ze?
In my entire “virtual” life, I have changed more than 500 nicknames, simply because I have never been focused on drawing attention to my person. In general, I didn’t attach any special importance to this.
Over the past couple of years, I have often used the aliases Ex.Mi, Vlad Vector, and SubversA, but my real name has always been a constant, so it’s hard to say that I am “better known as m0ze”
Is security research a hobby or a job?
Both options: hobby and work. Of course, there are some nuances here: legal earnings are less valued in the market and are more susceptible to the influence of commercial structures.
While illegal earnings are better paid and don’t follow any absurd, you know, “rules”. At the same time, they are riskier.
The main thing is that there is a choice, and everything depends on specific situations and goals. «There is no right or wrong, only fun and boring.» © If you know what I mean.
The process itself is more than interesting. The boring and annoying factor here, I think, is only one: this is the incompetence of some developers, unwillingness to change something and admit their mistakes, security through obscurity, and the annoying DMCA.
I will also say hello to all developers of premium solutions who, instead of fixing vulnerabilities, install any WAF on their servers, thinking that this is a proper way to get the problem solved.
Remember that you are writing code and developing a product for customers and other users, and with such an attitude to the issue, you simply endanger their projects and their trust in you. And this doesn’t save you from hackers anyway. Hell, it is much easier to make such a decision than to be responsible for its consequences.
The idea of “ethics” in cybersecurity with this attitude is brought to the point of absurdity and entails a banal disrespect shown to security researchers (in fairness, it should be noted that the researchers themselves have made an invaluable contribution to this).
As long as we play by their soft, childish rules, we will get the same soft, childish results. We need to decide how far we are ready to go so that the situation begins to change towards something more adequate.
«Security is achieved through openness. Take things apart and play with them… exposing bad security is what protects us all.» – Deviant Ollam [Introduction to Lockpicking and Physical Security. DEFCON 13, 2005]
If you'd decide to change your profession what would that profession be?
I have been working since I was 15 years old, I have experience as a specialist in the production of printing products, graphic designer, administrator, journalist, web developer, etc.
I’m interested in many areas, so, theoretically, it is possible that I can start to master something completely new to myself. I love to cook and who knows, maybe I will become a chef someday, ha-ha!
How many vulnerabilities have you found in total? Which discovery makes you most proud of yourself?
I never counted them all, nor did I mark any individual vulnerabilities. For me, ideas that can be implemented and conveyed through my research are more important, but this is not always a quick process.
For example, over the past two years, I have found about ~200+ vulnerable products sold on ThemeForest and CodeCanyon, but for the better, the marketplace hasn’t somehow changed regarding the quality of the code.
And, as it turned out, they didn’t need any security specialists/researchers as members of the TF/CC teams. This targeting of the premium segment has not yet changed the company’s attitude towards the security of the products it sells, but it set me apart from other researchers who prefer to look for vulnerabilities in free plugins and themes.
You know, hacking is like an art, and art should disturb the comfortable and comfort the disturbed, and it’s pretty cool when you have an idea standing behind any of your hacks.
When did you start researching WordPress plugins and themes?
Many years ago I realized that this particular CMS has a great future, and started working with it. Then, many still predicted that only Joomla and Bitrix would remain in the market over time, displacing competitors.
Well, did it come true? A little more than 40% of sites on the Internet operate under the control of WordPress in 2021, Joomla CMS, as she was a clumsy monster, remains so. I won’t say anything about Bitrix at all, everyone already understands everything (who worked with this system).
Most of the time I was just engaged in the development, and in terms of security, WordPress didn’t interest me in any way – there was nothing catchy. The situation began to change as soon as the massive hacks of sites under the control of WordPress began, and they became more and more frequent.
Over time, I noticed that I began to spend less time on development, and became more in demand as a specialist who can cure a site of viruses, close vulnerabilities, and return it to full working condition.
More precisely, the development became a very boring and predictable work for me, while the whole story about vulnerabilities in WordPress, in fact, was only gaining momentum. The choice was obvious.
You are the first winner of the Red Team monthly prize - how do you like Red Team so far?
Cool. Cool. Super cool. The Red Team project is completely new, many processes are not yet automated, so there is no particular feeling of competition – I just do what I usually do, and at the end of the month I found out that I – [Drumroll!] – won
I am sure this feeling will change in the very near future when there will be more participants.
The concept of the project is not only interesting but also gives you a chance to make money on your research – it’s cool!
The openness to new ideas is also encouraging – this opens up additional possible directions, making the project more multifaceted step by step.