Acknowledgements

Over the past few years, as an avid security researcher, I have received acknowledgements from the following leading firms for the discovery, responsible disclosure and collaboration in the fixing of security issues.

Optus Voicemail Exploit Information Disclosure

I assisted Shubham Shah in discovering (and testing) the Optus voicemail PIN bypass exploit. Due to a broken trust model, a forged caller ID would allow an attacker to bypass the PIN protection of voicemail and have full access to the victim's voicemail control panel. I also created the web application used to test if a user's phone number is vulnerable.

Microsoft (Online Services) Coldfusion Exploit (Root Access)

Due to an outdated version of Coldfusion installed on a Microsoft MSN server, I was able to bypass the administrative login and gain administrative access. This would allow me to schedule tasks to run as a privileged user, such as reverse shells, create users, etc.

Grok Learning Sandbox Bypass

Due to a misconfiguration in the testing machine's firewall, the sandbox could access the internet. This allowed for the disclosure of test data (as well as possible exploitation vectors).

Medium Information Disclosure

Due to a vulnerable version of OpenSSL, Medium's servers were vulnerable to the Heartbleed OpenSSL bug, allowing up to 64kb of server memory to be disclosed to a hacker (possibly leaking private keys, users' passwords and POST data, etc).

Altervista Information Disclosure

Due to a vulnerable version of OpenSSL, Altervista's control panel was vulnerable to the Heartbleed OpenSSL bug, allowing up to 64kb of server memory to be disclosed to a hacker (possibly leaking private keys, users' passwords and POST data, etc).

Competitions

Due to my interest in security research, I have participated in multiple information security competitions. The following are some notable compeitions which I have taken part in

K17 CTF - 2013 4th Overall

A competition which contained challenges pertaining to web applications, reverse engineering and exploitation, cryptography, network and memory forensics and Unix exploitation. I was mostly involved in the reverse engineering, cryptography and unix exploitation aspects of the competition and assisted the members working on the web application.

PHDays CTF IV Quals - 2014

This competition contained a grab-bag of many different aspects of information security, the most interesting of which was a MMORPG for the contestants (where hacking the game was rewarded with CTF points). I was mostly involved in the escaping of sandboxes and information gathering aspects of the competition. I also assisted team members working on the cryptography challenges.