'Of equal merit to taking drugs': Katie Paxton-Fear on the thrill of bug bounty hunting

Katie Paxton-Fear never thought she’d become an expert in cybersecurity yet she now teaches the subject at Manchester Metropolitan University. She’s also the creator of InsiderPhD, a Youtube channel where she shares her adventures and expertise with other aspiring ethical hackers.

Paxton-Fear joined Michael “Roo” Fey, Head of User Lifecycle & Growth at 1Password, on the Random but Memorable podcast to share some of her most fascinating vulnerability discoveries, how she got into the field, and her advice for anyone interested in joining the bug hunting ranks. Read the interview highlights here, or listen to the full podcast episode.

Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.

Michael Fey: How did you get into the field of cybersecurity?

Katie Paxton-Fear: I always describe it as kind of an accident. I did a usual computer science degree. I finished university. I got a job and realized about six months into that job that I hated it. Why am I doing this job? I had this realization and a bit of panic and I was like, “You know what? I’m going to do a PhD. I’m going to be a researcher and an academic and I’m going to read books all day.”

Unfortunately, I had this realization around Christmas time and the intake for PhDs was basically nothing. But when I realized I hated my job, I really hated it. So I said, “Well, I guess I’ll get the first PhDs that comes to me.”

And it happened to be in cybersecurity! I never really intended to get into cybersecurity. My background is in machine learning and ancient language decipherment, so it was quite different.

I then ended up getting into hacking through a live hacking event. I was invited as a mentee. My friends pushed me to apply. I didn’t want to apply. I was like, “I’m not good at security. I make websites. That’s what I do. That’s my job.”

“I found my first few bugs in Uber and it was an incredible experience. I was literally shaking."

And then I got invited to this live event and when I was there, despite knowing literally nothing ahead of time, I found my first few bugs in Uber and it was an incredible experience. I was literally shaking. The elation I felt was like nothing else and I haven’t stopped since. That was three or four years ago.

MF: What were the bugs that you found?

KPF: I can’t share them in detail for obvious reasons. But I can share a little bit about them. Essentially it was the ability to change the price of something in Uber without being authorized.

For example, changing the cost of somebody else’s Uber ride. Making it really high or really low. And not only that, you could also change it to be a negative number. Now, I don’t know if that would’ve gone through, but it’s quite funny to imagine you get into an Uber and the cost is $1,000 for a five-minute ride or even better, minus-$1,000 and Uber pays you to enjoy that ride.

They were super simple bugs, not very technically complex. They were very obvious. I’m surprised nobody else found them, to be honest!

MF: You’ve gone on to uncover vulnerabilities in tons of systems and applications. What are some of your most memorable discoveries?

KPF: There are two main bugs that I think about. One was really interesting technically, and one was really interesting for its impact despite being a very boring bug.

There are types of bugs that we like to call “access control issues” where you don’t have permission to do something. Maybe you’re a low-level user and you’re trying to do an admin function. Maybe you’re a part of one organization but you’re trying to impact a different organization – those kinds of issues.

It was a very typical bug where all you needed was somebody’s email address to access a form that this same person had already filled in. This website didn’t have proper accounts and didn’t want to deal with password resetting. The problem was that as long as somebody knew your email address and knew you’d made a request to this website, they could see that request and edit it. You might think, “Okay, no big deal.” Well, this particular website was being used for air shows and you could specify a runway length for an aircraft.

“This particular website was being used for air shows and you could specify a runway length for an aircraft."

Technically it wasn’t a very interesting bug. But there’s a reason why airplanes have specific runway lengths for different aircraft. You can’t land a big plane on a small runway. The actual impact of this in real life would’ve been huge! That’s the most interesting one impact-wise.

For my technical example, I once used an error message to find a bug that was not in the software I was testing, and not in the software that that software was using, but there was a dependency of a dependency of a piece of software that it was then developed on top of like a framework. I used this error message in a ton of fingerprinting. I felt huge hacker vibes from that one.

MF: Finding a dependency tree that lets you exploit a vulnerability has got to feel pretty epic.

KPF: It did because I had never seen this before, so I felt like I was uncovering treasure.

MF: What would you say drives your passion for hunting down vulnerabilities? Are you just chasing a high or is it something more?

KPF: I’ve never done drugs but I’m certain that the high you get from bug hunting and finding a vulnerability, reporting it, and then getting paid is probably of equal merit to taking drugs. It’s a fantastic feeling!

My real passion is problem-solving and puzzles. Because when you’re bug hunting, you’re often completely outside. You don’t have any information about how any of the systems are supposed to work. You’re piecing together this jigsaw of different technology stacks. All the jigsaw pieces are blank and you’re not really sure if they belong to the same set but you’re still trying to place them.

“There’s nothing like the experience of putting together all those little pieces and coming out with a security vulnerability."

I don’t think there’s anything quite like that experience of putting together all those little pieces and coming out with a security vulnerability. When I go to live events and I see some of my friends getting thousands of dollars literally every few minutes, it’s just crazy. It’s the weirdest experience.

MF: Your YouTube channel provides tons of insights into the world of bug bounty hunting. What inspired you to share your experiences and knowledge that way?

KPF: I originally wanted to make videos because I was a mentee at this HackerOne event and I didn’t really know what I was doing.

I had the background of being a web developer and looking at a HTTP request. I knew what that was, I knew what the response was. I could read JSON, I knew what an API was, I had all that kind of technical knowledge. But I had never seen an HTTP request before, meaning the actual raw text that goes into one. I would describe it like this: you know how to drive a car but if you open it up, you’d have no idea which part was going “vroom vroom”.

“I had never seen an HTTP request before, meaning the actual raw text that goes into one."

During that time I was learning Burp Suite, the main tool that bug bounty hunters use. I was learning how to make raw HTTP requests. I was also looking at raw API requests and responses. I learned a lot in five hours about security testing!

Then I was fortunate to be invited to another event as a mentee – in Vegas! If someone offers you a free trip to Vegas from the UK, you do not turn that down.

When I was there, I had this experience where I was looking at some of the other invited mentees and realized that I was a little bit further along the learning pathway. Not massively, but I did realize there was this gap between what I had learned in that first experience when I was putting together those pieces and finding my first bug and where they were coming from. Not that they were bad hackers or anything!

“I realized that I was a little bit further along the learning pathway."

These were people who worked actual AppSec jobs and weren’t Ph.D. students having fun. They were technical security people and they were still struggling to find a bug. I got back from Vegas and thought, “I’m going to make a YouTube video explaining what you’re supposed to do with Burp Suite and what all the tabs do.” Because I didn’t understand that, and neither did they. “I know a little bit about how those tabs work now, so I’m just going to make the video.”

People liked it and I was like, “Wow, this is amazing.” I thought, “Well, I’ll make some other videos,” thinking about what people were struggling with and also bringing in my academic background. I really wanted to do something closer to a traditional classroom in more of a lecture format, which is how I was used to learning as a student.

“I’ve received nothing but kindness and support from the community."

I haven’t stopped making videos since. It’s been amazing to watch a community grow. The cybersecurity community is incredible.

I think a lot of people, especially women, are quite scared because they’re like, “Oh, they’re going to be abusive towards me.” Honestly, I’ve received nothing but kindness and support from the community. To be recommended by some of the best hackers in the world who say, “Yeah, you should watch Katie’s videos, her videos are really great” – it’s a humbling experience.

MF: You’re a lecturer of cybersecurity at Manchester Metropolitan University, so it seems teaching is a huge passion and motivator for you. How do we inspire the next generation of security professionals?

KPF: This question is really interesting. I don’t know that it’s a problem to have the next generation of hackers stay on the right side as it was previously. Nowadays there are so many different outlets, from training programs like TryHackMe and Hack The Box to both online and local CTFs (Capture The Flag games). For anyone who’s interested in security, there is nothing but opportunity out there. Especially with things like the rise of bug bounty hunting.

There’s also an opportunity to develop skills at a younger age. If you were a teenager who was interested in cybersecurity at the same time I was a teenager, you’d end up on a hacking forum. Nowadays, teens can get involved in HackerOne or Bugcrowd. They can do a CTF competition and get a prize.

“A lot of the students and people I talk to feel like it’s not for them. They’re interested in it but they’re worried they’re not good enough."

There are so many legal, well-paid ways to engage with that interest nowadays that honestly, the hard part is getting students to see the potential in themselves. A lot of the students and people I talk to feel like it’s not for them. They’re really interested in it but they’re worried they’re not good enough. I think that’s far more of an issue.

MF: Going back to bug bounty hunting, how do you disclose vulnerabilities to companies in a way that actually prompts action and fixes?

KPF: I have some controversial takes here. I used to work in triage at Bugcrowd. For people who aren’t aware, when a vulnerability gets submitted it usually goes through the triage services of a bug bounty program before it goes to a company like 1Password.

This is because bug bounty programs get a lot of spam. Any person who’s familiar with bug bounties who thinks, “Yeah, it can’t be that bad” – it’s bad.

“Bug bounty programs get a lot of spam."

A lot of people will lie about the severity of their bugs. This is why I have some controversial takes. First, you’ve got to be honest. If your bug is terrible, or if it isn’t very severe, just be honest and say that! You’ve got to realize that this isn’t a competition. It’s not you versus triage versus the customer. You’re all working together, and I promise that everybody wants things to be more secure! Nobody wants to leave horrible bugs outstanding.

I always recommend professionalism. I always recommend clarity and having the kind of attitude that you’re okay with the decision maker saying, “You know what? We don’t care about this. It’s fine. Totally fine.” In terms of how you actually get a fix, that’s when it comes down to steps of reproduction, and making sure the client really understands the impact.

“You also need soft skills like report writing, professionalism."

You’ll note that none of these things that I’ve mentioned have anything to do with technical skills. It’s not that technical skills aren’t important, but you also need soft skills like report writing, professionalism, engagement, and making sure you have clear steps. All of that really benefits a program and gets your bugs triaged quickly and resolved.

MF: What are some of the essential traits and habits for becoming a good security researcher or bug bounty hunter?

KPF: First of all, have a growth mindset. You cannot have the mindset that “something has happened, therefore you are useless”. Mental health-wise, it’s not going to do you any favors. But also, it’s not going to keep you motivated. You have to have a mindset of, “I am interested in this. I want to learn this. If I’m bad at something, I can improve.”

Technical skills are very important. You have to be somebody who wants to dive into the technical details. At the start it’s not necessarily important. If you know you want to get into hacking, you can just start. There’s nothing special. There’s no course. There’s no book. There’s no magic spell. There’s nothing that will be like, “I depart unto you all bug hunting knowledge. You may now go out and download Burp Suite and have a go yourself.”

Being somebody who’s willing to question, why is that the case? You don’t have to be a genius. You have to be somebody who’s willing to go into insane amounts of detail.

And finally, I think it’s also just being a good professional. It’s being somebody who’s willing to work with a team and to work within the constructs of something like an NDA. It’s being somebody who’s able to be flexible and not necessarily be the star all the time.

“While we may wear hoodies, we also go into an office and take the bus at nine o’clock in the morning and go to Starbucks."

A lot of people have this viewpoint that hackers are completely outside the sphere of normal people. They’re scary people who live in basements and wear hoodies. While we may wear hoodies, we also go into an office and take the bus at nine o’clock in the morning and go to Starbucks and buy lattes just like everybody else who works in an office.

MF: What is some advice that you would give to individuals who are interested in pursuing a career?

KPF: The best advice I can give people is to follow me on YouTube with the ad blocker off. No, I can’t say that seriously! There are so many good pieces of content and security creators out there. You really can’t go wrong. Listen to podcasts, watch YouTube videos, listen to conference talks. They’re all great places to get started.

1Password