
Spaceraccoon's Blog
InfoSec and White Hat Hacking
About 🔗
Eugene Lim is a security researcher and white hat hacker. He has worked on several bug bounty programs, including Amazon, Facebook, and Salesforce, and was ranked #2 globally out of more than 600,000 hackers on the Hackerone moving leaderboard. In 2019, he won the Most Valuable Hacker award at the H1-213 live hacking event in Los Angeles organized by Hackerone, the US Air Force, the UK Ministry of Defense, and Verizon Media. In 2021, he was 1 of 5 selected from a pool of 1 million white hat hackers for the H1-Elite Hall of Fame.
He is interested in application security and securing user data through sustainable DevSecOps practices. He is pursuing additional experience in artificial intelligence and quantum computing.
Hackerone | Github | LinkedIn | Twitter
Conferences and Talks 🔗
- ShmooCon 2022: “Why No One Pwned Synology at Pwn2Own and TianFu Cup This Year: Analyzing Defensive Coding Techniques from a Vulnerability Researcher’s Perspective”
- HacktivityCon 2021: “All Your (Data)base Are Belong To Us: Getting Started in Vulnerability Research with Code Execution Bugs in Office Applications”
- Black Hat USA 2021: “Turing in a Box: Applying Artificial Intelligence as a Service to Targeted Phishing and Defending Against AI Generated Attacks”
- DEF CON 29 2021: “Hacking Humans with AI as a Service”
- Black Hat USA Arsenal 2020: “Manuka: A modular, scalable OSINT honeypot targeting pre-attack reconnaissance techniques”
- Black Hat Asia Arsenal 2019: “npm-scan: An Extensible, Heuristic-Based Vulnerability Scanning Tool for Installed NPM Packages”
Research 🔗
- CVE-2022-22944: VMware Workspace ONE Boxer update addresses a stored cross-site scripting (XSS) vulnerability.
- CVE-2022-24704, CVE-2022-24705: Buffer overflow in Accel-PPP VPN server via crafted packet.
- CVE-2021-43929, CVE-2022-22679, CVE-2021-43925, CVE-2021-43926, CVE-2021-43927, CVE-2022-22680: Various vulnerabilities in Synology DiskStation Manager (NAS OS).
- CVE-2021-43083: Buffer overflow in Apache PLC4X (communication libraries for industrial programmable logic controllers) via crafted packet.
- CVE-2021-38646: Remote code execution in Microsoft Office Access Connectivity Engine via write-what-where gadget.
- CVE-2021-33035: Remote code execution in Apache OpenOffice via return pointer overwrite with DEP/ASLR bypass.
- CVE-2021-42783, CVE-2021-42784: Unauthenticated remote code execution in D-Link DWR-932C router.
- CVE-2021-42785: Buffer Overflow in tvnviewer.exe via Crafted Packet in TightVNC Viewer 2.8.59.
- CVE-2021–35297: Scalabium dBase Viewer Remote Code Execution via Buffer Overflow.
- CVE-2020-7788: Prototype pollution in
ini
package included in core Node.js installer and downloaded 16 million times a week.
Media 🔗
- A malicious document could lead to RCE in Apache OpenOffice, Help Net Security
- Apache OpenOffice can be hijacked by malicious documents, fix still in beta, The Register
- Malicious documents can hijack Apache OpenOffice, TechRadar
- AI Wrote Better Phishing Emails Than Humans in a Recent Test, WIRED Magazine
- New npm scanning tool sniffs out malicious code, The Daily Swig
- SQL injection flaw opened doorway to Starbucks’ accounting database, The Daily Swig
- SQL Injection Vulnerability Exposed Starbucks Financial Records, SecurityWeek
- Yale graduate earns $11,000 finding bugs by ‘hacking’ into government systems, The Straits Times
- NSF is top hacker in Mindef’s programme that gives cash for discovering software bugs, The Straits Times
- NSF bug hunter wins big, PIONEER Magazine
- Hacking the Singapore Government: A Q&A With A Top Hacker & MINDEF 2.0 Results, HackerOne