A Haphazard Diary of Insignificance

How I earned $47000 USD as a high school student

How I earned $47000 USD as a high school student

TL;DR: Bug bounty with Apple

Antonio Cheong's photo
Antonio Cheong
·

5 min read

Ignore my butchered English. It’s not my first language.

Boring background (My life story)

Chūnibyō: A colloquial Japanese term for early teens who have delusions of grandeur. Also a great anime.

I was one of them, holding delusions of becoming a ‘hacker’ sporting a black hoodie with a Guy Fawkes mask covering my face. The genius villain of the movies.

Generic Guy Fawkes mask

Yet despite my dreams, I never really knew anything. The most I could do was inspect elements in Chrome and change some text or get infinite cookies in Cookie Clicker.

Then came the blessing of 2020: It was the Chinese New Year and I had returned to my hometown in Malaysia. Just as my family booked the flight back to school, the pandemic struck. Flights were canceled and we were placed under the lockdown. For a whole 6 months, I was stuck indoors.

Bored out of my mind, I began to learn ‘hacking’. I couldn’t code, and my internet was crap but what else was there to do?

With an old Macbook and Google, I began to search:

I started with wireless networks: Cracking WPA, sniffing packets, and MITM with ettercap. Why? Because I had shit internet and wanted to ‘borrow’ internet from a neighbor. Well, I failed. They had a strong password or something.

A few weeks into research and I was barely touching upon Virtual Machines and ParrotOS (I didn’t know Kali Linux until much later).

Then, school started. While I was stuck abroad, my school had already opened up and soon, E-learning became the norm while the rest of my classmates were already physically there. The national borders were closed and I could not get back.

Being far away from any repercussions, I slacked off, focusing on learning ‘hacking’ rather than academics. It was during this time that I went from being a straight-A student to getting a 1% on my IGCSE mock exams for math (Time skip here. The failure was sometime in 2021).

Despite my desolate grades, I was making progress. What had once simply been a delusion had come to life. I was getting used to using Metasploit and had just completed my first coding project, a simple reverse shell written with Python sockets. A month later and I wrote a PHP site that could send fake emails from any address (patched and defunct).

Just as I was reaching the level of “script kiddie”, travel restrictions lifted and I became occupied with school work. While I did occasionally prank teachers with spoofed emails from the CIA, I learned nothing new.

<Insert time skip>

Finding an exploit

August 2021: IGCSE was over and it was yet another holiday. I do not remember the exact reason but I was playing with a new tool I found by the name of EggShell (A RAT). With EggShell’s shell, there was a bug: Doing ^c (control+c) occasionally terminated a frozen remote process or killed the shell itself. However, if I rerun the shell quickly enough, the connection would persist. (I later found the bug but that’s irrelevant)

Curious enough, when I attempted to take a remote screenshot after the reconnection, I was able to immediately retrieve the image, seemingly without prompting for permission. However, I was unable to replicate this consistently

December 2021: Yet another holiday. This time, Christmas. I had gotten bored with the inconsistency of EggShell and returned to using Meterpreter. This time, I was trying to be discrete while pranking a friend (I know it is illegal. Please don’t arrest me. I was dumb) and ‘rm -rf’ed the dropped Trojan executable. Yet again, I was able to take screenshots without permission… and it was replicable. Upon noticing that I had found an actual exploit, I immediately Googled for how I can get money for this.

A Rollercoaster with Apple

Guess what? Apple had a generous bug bounty system. Based on their examples, I was set for $50,000!!!

Having previous issues with disappointing my family, I told nobody. My heart was leaping out of my mouth in excitement, yet I kept silent.

With a quick low quality write-up, I sent it to Apple.

A month passes. No response.

I learned Objective-C and wrote a one-click POC. Sent it off to Apple once again.

A month passed. A response.

My heart came close to exploding

One month passes

No more details. My requests for updates go unanswered. I lose hope.

Two months pass

I gave up cybersecurity as my career path. Might as well just be a normal programmer.

One month passes

Once again, I rejoiced. Perhaps it was not forgotten. I replied.

I informed my parents. Maybe something will actually happen for once…

ANONYMOUS? WTF

I was not credited. I have no idea why.

Are you kidding me?

Six months have passed since I received this email. Credits have not been given.

I delete everything I have related to ‘hacking’. My dream was no more.

Six months pass.

I followed through with the process provided. It was troublesome due to my underage status but with some help from my parents, I received the award. $47,000 USD in the bank.

Still no credit.

Aftermath

Nothing changed. I have given up cybersecurity and my young Chūnibyō delusions. I will be paying for my first year of college. My parents would’ve paid otherwise. No difference.

Lesson?

I don’t know.

I hate the slow response time of Apple. But I did get money out of it. Who am I to complain?

Thank you for reading this rant. I am procrastinating and don’t want to do my Bio IA.

#cybersecuritybugbountyApple