About
Eugene Lim is a security researcher and white hat hacker. He has worked on several bug bounty programs, including Starbucks, Grab, and Salesforce, and was ranked #2 globally out of more than 600,000 hackers on the Hackerone moving leaderboard. In 2019, he won the Most Valuable Hacker award at the H1-213 live hacking event in Los Angeles organized by Hackerone, the US Air Force, the UK Ministry of Defense, and Verizon Media.
He is interested in application security and securing user data through sustainable DevSecOps practices. He is pursuing additional experience in artificial intelligence and quantum computing.
Hackerone | Github | LinkedIn | Twitter
Conferences and Talks
- HacktivityCon 2021: “All Your (Data)base Are Belong To Us: Getting Started in Vulnerability Research with Code Execution Bugs in Office Applications”
- Black Hat USA 2021: “Turing in a Box: Applying Artificial Intelligence as a Service to Targeted Phishing and Defending Against AI Generated Attacks”
- DEF CON 29 2021: “Hacking Humans with AI as a Service”
- Black Hat USA Arsenal 2020: “Manuka: A modular, scalable OSINT honeypot targeting pre-attack reconnaissance techniques”
- Black Hat Asia Arsenal 2019: “npm-scan: An Extensible, Heuristic-Based Vulnerability Scanning Tool for Installed NPM Packages”
Notable Research
- CVE-2021-38646: Remote code execution in Microsoft Office Access Connectivity Engine via write-what-where gadget.
- CVE-2021-33035: Remote code execution in Apache OpenOffice via return pointer overwrite with DEP/ASLR bypass.
- CVE-2020-7788: Prototype pollution in
inipackage included in core Node.js installer and downloaded 16 million times a week.
Media
- A malicious document could lead to RCE in Apache OpenOffice, Help Net Security
- Apache OpenOffice can be hijacked by malicious documents, fix still in beta, The Register
- Malicious documents can hijack Apache OpenOffice, TechRadar
- AI Wrote Better Phishing Emails Than Humans in a Recent Test, WIRED Magazine
- New npm scanning tool sniffs out malicious code, The Daily Swig
- SQL injection flaw opened doorway to Starbucks’ accounting database, The Daily Swig
- SQL Injection Vulnerability Exposed Starbucks Financial Records, SecurityWeek
- Yale graduate earns $11,000 finding bugs by 'hacking' into government systems, The Straits Times
- NSF is top hacker in Mindef's programme that gives cash for discovering software bugs, The Straits Times
- NSF bug hunter wins big, PIONEER Magazine
- Hacking the Singapore Government: A Q&A With A Top Hacker & MINDEF 2.0 Results, HackerOne
