2021 security predictions from HackerOne’s top ethical hackers

As 2020 comes to a close, top ethical hackers and researchers of HackerOne, a bug bounty and responsible vulnerability disclosure platform, offer insights into what security trends 2021 may bring.

Samuel Eng (Samengmg), Singapore

What’s changed for you this year?

Due to the COVID-19 pandemic, I’ve seen an influx of bug bounty hunters in various programs. I noticed that many programs hardened really quickly at the start of the pandemic, especially common vulnerability classes such as XSS, SQL Injections and basic authentication bypasses.

What should businesses look out for next year?

I still find many authentication bypasses and access control issues, which I think continue to have a significant impact on any company. This will probably continue since the issue is based on the context of the application. Scanners do not pick up these issues hence the need to have experienced and trained eyes looking for them.

What vulnerability trends do you see emerging next year? 

OTP bypasses tend to be quite prominent in APAC. 2FA is a compliance requirement that has rapidly emerged in APAC, and this means developers tend to roll out these features quickly but not securely. On the other hand, previously common vulnerabilities such as CSRF or SQL Injection will be reduced due to frameworks adopting secure default settings.

Shubham Shah (notnaffy), Australia

What’s changed for you this year? 

With an almost global lockdown, I’ve increasingly worked virtually with other hackers to collaborate on bug bounty programs in order to discover more critical vulnerabilities. When calculating security, two variables are normally taken into account: time and resources. At the moment, there is far more time to spend on breaking the security of any given target, meaning there is a higher chance of finding vulnerabilities.

What should business look out for next year?

As businesses recover from this pandemic and economies are rebuilt, I predict that there will be an uptick in application development and deployment. That means the rapid introduction of new assets, applications and networks; a growth that will be challenging to manage from a security perspective. I believe the biggest threat to both businesses and government agencies will be managing their attack surface and the respective security exposures as they rebuild and grow.

What vulnerability trends do you expect to see? 

I also expect to see more low hanging fruit being introduced within attack surfaces, as companies work on deploying new infrastructure following the pandemic. I mostly expect these low hanging fruits to be classified as security misconfigurations within cloud deployments leading to critical vulnerabilities or exposure. 

As we have seen in the last quarter of 2020, attackers are targeting companies that store critical information (medical records) or host critical infrastructure (hospitals) in order to achieve their goals from ransomware attacks (large ransoms being paid out). I unfortunately believe this trend will continue, with a total disregard of morals, targeting industries or companies that service the most vulnerable people in our society. This is a grim outlook on the future, but given the pace of current attackers, I would not be surprised if infrastructure that is critical to our livelihoods is targeted (SCADA systems, Telco’s, Healthcare, Education).

James Kettle (albinowax), UK

What’s changed for you this year?

I’ve seen a significant increase in mitigations against the biggest vulnerability classes. From same-site cookies being enabled by default in browsers, to Amazon releasing HTTP Desync Guardian, hackers are increasingly having to work around roadblocks bigger than poorly-maintained WAF regexes.

What vulnerability trends do you expect to emerge in 2021?

We’ll see more people exploiting discrepancies between multi-server applications, through the likes of request smuggling, parameter pollution and path normalisation exploits.

What about new techniques?

There’s a long tail of esoteric techniques that hardly anyone bothers with because they can achieve better results using well-understood, lower-effort attacks. As the classic attacks get mitigated and picked off by automated scanners, I think we’ll see a gradual trend of hackers embracing the obscure – business logic flaws, race conditions, timing attacks and convoluted attack chains in general.

Julien Ahrens (MrTuxracer), Germany

What do you think will be the biggest threat to businesses in the next year?

The COVID-19 pandemic has forced business to speed up their digital transformation in ways they weren’t expecting. As a result, I think that we’re going to see an influx of attacks, especially against those who have just begun digitising. One thing that particularly concerns me in Germany is the enormous speed of government institutions, like schools, that are moving everything online. Activities like homeschooling, which essentially didn’t exist pre COVID, are now the de-facto standard for almost all schools. They had to build systems and processes with very little time, which is never a good thing when it comes to security. I’m not even just talking about technical flaws that lead to security issues, but also also the security awareness of teachers and pupils.

What poses the greatest risk next year?

It’s inevitable that all kinds of attacks will increase in 2021 because more companies are moving online. But there is one type of attack I think will increase exponentially, and more than any technical attacks: social engineering. I think social engineering attacks against people who aren’t sufficiently guarded and aware will massively increase because companies won’t have had the time to sufficiently educate their employees about the threat.

Are attitudes to working with hackers becoming more positive? 

Absolutely! It’s a logical consequence that if companies have to move more of their activities online, the need for security increases accordingly. Due to the growing awareness especially in the media of hackers finding and fixing bugs, businesses are becoming more aware of the fact that guys like me could actually help them.