About 🔗

Eugene Lim is a security researcher and white hat hacker. He has worked on several bug bounty programs, including Amazon, Facebook, and Salesforce, and was ranked #2 globally out of more than 600,000 hackers on the Hackerone moving leaderboard. In 2019, he won the Most Valuable Hacker award at the H1-213 live hacking event in Los Angeles organized by Hackerone, the US Air Force, the UK Ministry of Defense, and Verizon Media. In 2021, he was 1 of 5 selected from a pool of 1 million white hat hackers for the H1-Elite Hall of Fame.

He is interested in application security and securing user data through sustainable DevSecOps practices. He is pursuing additional experience in artificial intelligence and quantum computing.

Hackerone | Github | LinkedIn | Twitter

Conferences and Talks 🔗

• ShmooCon 2022: “Why No One Pwned Synology at Pwn2Own and TianFu Cup This Year: Analyzing Defensive Coding Techniques from a Vulnerability Researcher’s Perspective”
• HacktivityCon 2021: “All Your (Data)base Are Belong To Us: Getting Started in Vulnerability Research with Code Execution Bugs in Office Applications”
• Black Hat USA 2021: “Turing in a Box: Applying Artificial Intelligence as a Service to Targeted Phishing and Defending Against AI Generated Attacks”
• DEF CON 29 2021: “Hacking Humans with AI as a Service”
• Black Hat USA Arsenal 2020: “Manuka: A modular, scalable OSINT honeypot targeting pre-attack reconnaissance techniques”
• Black Hat Asia Arsenal 2019: “npm-scan: An Extensible, Heuristic-Based Vulnerability Scanning Tool for Installed NPM Packages”

Research 🔗

• CVE-2022-22944: VMware Workspace ONE Boxer update addresses a stored cross-site scripting (XSS) vulnerability.
• CVE-2022-24704, CVE-2022-24705: Buffer overflow in Accel-PPP VPN server via crafted packet.
• CVE-2021-43929, CVE-2022-22679, CVE-2021-43925, CVE-2021-43926, CVE-2021-43927, CVE-2022-22680: Various vulnerabilities in Synology DiskStation Manager (NAS OS).
• CVE-2021-43083: Buffer overflow in Apache PLC4X (communication libraries for industrial programmable logic controllers) via crafted packet.
• CVE-2021-38646: Remote code execution in Microsoft Office Access Connectivity Engine via write-what-where gadget.
• CVE-2021-33035: Remote code execution in Apache OpenOffice via return pointer overwrite with DEP/ASLR bypass.
• CVE-2021-42783, CVE-2021-42784: Unauthenticated remote code execution in D-Link DWR-932C router.
• CVE-2021-42785: Buffer Overflow in tvnviewer.exe via Crafted Packet in TightVNC Viewer 2.8.59.
• CVE-2021–35297: Scalabium dBase Viewer Remote Code Execution via Buffer Overflow.
• CVE-2020-7788: Prototype pollution in ini package included in core Node.js installer and downloaded 16 million times a week.

Media 🔗

• A malicious document could lead to RCE in Apache OpenOffice, Help Net Security
• Apache OpenOffice can be hijacked by malicious documents, fix still in beta, The Register
• Malicious documents can hijack Apache OpenOffice, TechRadar
• AI Wrote Better Phishing Emails Than Humans in a Recent Test, WIRED Magazine
• New npm scanning tool sniffs out malicious code, The Daily Swig
• SQL injection flaw opened doorway to Starbucks’ accounting database, The Daily Swig
• SQL Injection Vulnerability Exposed Starbucks Financial Records, SecurityWeek
• Yale graduate earns $11,000 finding bugs by ‘hacking’ into government systems, The Straits Times
• NSF is top hacker in Mindef’s programme that gives cash for discovering software bugs, The Straits Times
• NSF bug hunter wins big, PIONEER Magazine
• Hacking the Singapore Government: A Q&A With A Top Hacker & MINDEF 2.0 Results, HackerOne