How I Earned $47000 USD As A High School Student

How I Earned $47000 USD As A High School Student

TL;DR: Bug bounty with Apple

Ignore my butchered English. It’s not my first language.

Boring background (My life story)

Chūnibyō: A colloquial Japanese term for early teens who have delusions of grandeur. Also a great anime.

I was one of them, holding delusions of becoming a ‘hacker’ sporting a black hoodie with a Guy Fawkes mask covering my face. The genius villain of the movies.

Generic Guy Fawkes mask

Yet despite my dreams, I never really knew anything. The most I could do was inspect elements in Chrome and change some text or get infinite cookies in Cookie Clicker.

Then came the blessing of 2020: It was the Chinese New Year and I had returned to my hometown in Malaysia. Just as my family booked the flight back to school, the pandemic struck. Flights were canceled and we were placed under lockdown. For a whole 6 months, I was stuck indoors.

Bored out of my mind, I began to learn ‘hacking’. I couldn’t code, and my internet was crap but what else was there to do?

With an old Macbook and Google, I began to search:

I started with wireless networks: Cracking WPA, sniffing packets, and MITM with ettercap. Why? Because I had shit internet and wanted to ‘borrow’ internet from a neighbor. Well, I failed. They had a strong password or something.

A few weeks into research and I was barely touching upon Virtual Machines and ParrotOS (I didn’t know Kali Linux until much later).

Then, school started. While I was stuck abroad, my school had already opened up and soon, E-learning became the norm while the rest of my classmates were already physically there. The national borders were closed and I could not get back.

Being far away from any repercussions, I slacked off, focusing on learning ‘hacking’ rather than academics. It was during this time that I went from being a straight-A student to getting a 1% on my IGCSE mock exams for math (Time skip here. The failure was sometime in 2021).

Despite my desolate grades, I was making progress. What had once simply been a delusion had come to life. I was getting used to using Metasploit and had just completed my first coding project, a simple reverse shell written with Python sockets. A month later and I wrote a PHP site that could send fake emails from any address (patched and defunct).

Just as I was reaching the level of “script kiddie”, travel restrictions lifted and I became occupied with school work. While I did occasionally prank teachers with spoofed emails from the CIA, I learned nothing new.

<Insert time skip>

Finding an exploit

August 2021: IGCSE was over and it was yet another holiday. I do not remember the exact reason but I was playing with a new tool I found by the name of EggShell (A RAT). With EggShell’s shell, there was a bug: Doing ^c (control+c) occasionally terminated a frozen remote process or killed the shell itself. However, if I rerun the shell quickly enough, the connection would persist. (I later found the bug but that’s irrelevant)

Curious enough, when I attempted to take a remote screenshot after the reconnection, I was able to immediately retrieve the image, seemingly without prompting for permission. However, I was unable to replicate this consistently

December 2021: Yet another holiday. This time, Christmas. I had gotten bored with the inconsistency of EggShell and returned to using Meterpreter. This time, I was trying to be discrete while pranking a friend (I know it is illegal. Please don’t arrest me. I was dumb) and ‘rm -rf’ed the dropped Trojan executable. Yet again, I was able to take screenshots without permission… and it was replicable. Upon noticing that I had found an actual exploit, I immediately Googled how I can get money for this.

A Rollercoaster with Apple

Guess what? Apple had a generous bug bounty system. Based on their examples, I was set for $50,000!!!

Having previous issues with disappointing my family, I told nobody. My heart was leaping out of my mouth in excitement, yet I kept silent.

With a quick low quality write-up, I sent it to Apple.

A month passes. No response.

I learned Objective-C and wrote a one-click POC. Sent it off to Apple once again.

A month passed. A response.

My heart came close to exploding

One month passes

No more details. My requests for updates go unanswered. I lose hope.

Two months pass

I gave up cybersecurity as my career path. Might as well just be a normal programmer.

One month passes

Once again, I rejoiced. Perhaps it was not forgotten. I replied.

I informed my parents. Maybe something will actually happen for once…

I was not credited. I have no idea why.

Six months have passed since I received this email. Credits have not been given.

I delete everything I have related to ‘hacking’. My dream was no more.

Six months pass.

I got the award?

I followed through with the process provided. It was troublesome due to my underage status but with some help from my parents, I received the award. $47,000 in the bank.

Still no credit.

Aftermath

Nothing changed. I have given up cybersecurity and my young Chūnibyō delusions. I will be paying for my first year of college. My parents would’ve paid otherwise. No difference.

Lesson?

I don’t know.

I hate the slow response time of Apple. But I did get money out of it. Who am I to complain?

Thank you for reading this rant. I am procrastinating and don’t want to do my Bio IA.