The teenage hackers paid millions to expose corporations’ weak spots

The 19-year-old sat at his desk, eyes hooked on the screen. Displayed on it was a corporate-looking website. At a casual glance it was just another nondescript web page, perhaps a little sparser than the colourful social media platforms he might be expected to browse.

But the American teenager had in fact gained access to the TAT-14 submarine telecommunications cable system. In operation until December 2020, the vital global commerce conduit stretched for more than 9,500 miles between France, Germany, Denmark, the Netherlands, Britain and the US.

“I came across this one web server. And the title was super interesting. So I wanted to see if I could hack it,” says Corben Leo.

His method was shockingly simple: Leo navigated to a very specific web address and refreshed the page twice. Thanks to a hitherto undetected flaw, the website treated his computer as if he had logged in with an administrator account.

It gave him the same level of control as the owners of TAT-14, resting his fingers on the artery of transatlantic trade in March 2019. And nobody knew he was there.

Leo’s hack is just one among a global community of bug bounty researchers: ethical hackers who investigate companies’ web servers for security flaws – bugs – and then reveal their findings to the owners, usually in return for payment.

“I could add admin access to all of their accounts. I could manage them, I had access to all of the internal cable documentation,” says Leo. “Everything that had to do with the inner workings of the cable, how the cable was physically structured, their maintenance periods.”

Not yet old enough to even buy a beer at the time, he could have triggered stock market crashes, disrupted governments or sparked accusations of international espionage.

Instead, he says, “I reported it to the telecommunication company as part of their security programme.

“I didn’t try to do too much because it was an undersea cable. I was fearful of getting thrown at a CIA black site!”

A lucrative pastime

For the most highly skilled hackers, bug bounties can be a lucrative pastime. Leo, now aged 22, claims he has earned “close to a million dollars” from his research efforts. As a…