How I Earned $47000 USD As A High School Student
TL;DR: Bug bounty with Apple
Ignore my butchered English. It’s not my first language.
Boring background (My life story)
Chūnibyō: A colloquial Japanese term for early teens who have delusions of grandeur. Also a great anime.
I was one of them, holding delusions of becoming a ‘hacker’ sporting a black hoodie with a Guy Fawkes mask covering my face. The genius villain of the movies.
Yet despite my dreams, I never really knew anything. The most I could do was inspect elements in Chrome and change some text or get infinite cookies in Cookie Clicker.
Then came the blessing of 2020: It was the Chinese New Year and I had returned to my hometown in Malaysia. Just as my family booked the flight back to school, the pandemic struck. Flights were canceled and we were placed under lockdown. For a whole 6 months, I was stuck indoors.
Bored out of my mind, I began to learn ‘hacking’. I couldn’t code, and my internet was crap but what else was there to do?
With an old Macbook and Google, I began to search:
I started with wireless networks: Cracking WPA, sniffing packets, and MITM with ettercap. Why? Because I had shit internet and wanted to ‘borrow’ internet from a neighbor. Well, I failed. They had a strong password or something.
A few weeks into research and I was barely touching upon Virtual Machines and ParrotOS (I didn’t know Kali Linux until much later).
Then, school started. While I was stuck abroad, my school had already opened up and soon, E-learning became the norm while the rest of my classmates were already physically there. The national borders were closed and I could not get back.
Being far away from any repercussions, I slacked off, focusing on learning ‘hacking’ rather than academics. It was during this time that I went from being a straight-A student to getting a 1% on my IGCSE mock exams for math (Time skip here. The failure was sometime in 2021).
Despite my desolate grades, I was making progress. What had once simply been a delusion had come to life. I was getting used to using Metasploit and had just completed my first coding project, a simple reverse shell written with Python sockets. A month later and I wrote a PHP site that could send fake emails from any address (patched and defunct).
Just as I was reaching the level of “script kiddie”, travel restrictions lifted and I became occupied with school work. While I did occasionally prank teachers with spoofed emails from the CIA, I learned nothing new.
<Insert time skip>
Finding an exploit
August 2021: IGCSE was over and it was yet another holiday. I do not remember the exact reason but I was playing with a new tool I found by the name of EggShell (A RAT). With EggShell’s shell, there was a bug: Doing ^c (control+c) occasionally terminated a frozen remote process or killed the shell itself. However, if I rerun the shell quickly enough, the connection would persist. (I later found the bug but that’s irrelevant)
Curious enough, when I attempted to take a remote screenshot after the reconnection, I was able to immediately retrieve the image, seemingly without prompting for permission. However, I was unable to replicate this consistently
December 2021: Yet another holiday. This time, Christmas. I had gotten bored with the inconsistency of EggShell and returned to using Meterpreter. This time, I was trying to be discrete while pranking a friend (I know it is illegal. Please don’t arrest me. I was dumb) and ‘rm -rf’ed the dropped Trojan executable. Yet again, I was able to take screenshots without permission… and it was replicable. Upon noticing that I had found an actual exploit, I immediately Googled how I can get money for this.
A Rollercoaster with Apple
Guess what? Apple had a generous bug bounty system. Based on their examples, I was set for $50,000!!!
Having previous issues with disappointing my family, I told nobody. My heart was leaping out of my mouth in excitement, yet I kept silent.
With a quick low quality write-up, I sent it to Apple.
A month passes. No response.
I learned Objective-C and wrote a one-click POC. Sent it off to Apple once again.
A month passed. A response.
My heart came close to exploding
One month passes
No more details. My requests for updates go unanswered. I lose hope.
Two months pass
I gave up cybersecurity as my career path. Might as well just be a normal programmer.
One month passes
Once again, I rejoiced. Perhaps it was not forgotten. I replied.
I informed my parents. Maybe something will actually happen for once…
I was not credited. I have no idea why.
Six months have passed since I received this email. Credits have not been given.
I delete everything I have related to ‘hacking’. My dream was no more.
Six months pass.
I got the award?
I followed through with the process provided. It was troublesome due to my underage status but with some help from my parents, I received the award. $47,000 in the bank.
Still no credit.
Aftermath
Nothing changed. I have given up cybersecurity and my young Chūnibyō delusions. I will be paying for my first year of college. My parents would’ve paid otherwise. No difference.
Lesson?
I don’t know.
I hate the slow response time of Apple. But I did get money out of it. Who am I to complain?
Thank you for reading this rant. I am procrastinating and don’t want to do my Bio IA.