How bug bounty hunters are helping to keep e-commerce platforms safe

This article is for the Professionals

Only $5+GST for the first month

Already a professional? Log in

find and fix potential problems.

One such organisation is e-commerce platform, Lazada, which has been running a bug bounty program with YesWeHack, a global bug bounty platform, for the past two years.

The partnership has allowed Lazada to test applications before rolling them out to a large audience and gain an in-depth understanding of the shortcomings in its IT infrastructure.

In August, it ran a two-day live bug bounty event with YesWeHack, which resulted in 115 vulnerability reports being submitted by security researchers.

“We have continued to redouble our efforts to keep the platform and our customer information secure,” Bruno Demarche, Lazada Group’s manager for red team and security testing team lead, told Inside Retail.

$10,000 rewards 

The rapid shift to online shopping during the Covid-19 pandemic has led to a big increase in cyber attacks, with the Optus breach in Australia being just the latest example. Businesses have to act fast to keep up with the evolving security threat. 

“We embarked on a partnership with YesWeHack in January of 2020, where we launched a private bug bounty program and engaged 20 security researchers to discover security vulnerabilities in our IT environment,” Demarche said.

Since then, the company has expanded the team to 100 people and opened up the program to the public, inviting over 45,000 ethical hackers to attack its systems and offering rewards of up to US$10,000 per bounty. 

“We worked with YesWeHack to organise a remote 30-hour live bug bounty event at the Hack In The Box Security Conference, where we invited researchers from Europe, Apac and all over the world to visit Singapore to participate,” Demarche said.

More than 60 security researchers, including some of the best ethical hackers in the world, participated in the two-day event, which resulted in 30 accepted vulnerability reports.

To ensure the participants could test Lazada’s systems and applications as thoroughly as possible, the e-commerce company voluntarily disabled some of its security mechanisms for the duration of the event. Researchers were able to bypass Web Application Firewalls (WAF), allowing them to hack into Lazada’s sites and services directly.

In addition to WAFs, Lazada disabled other security solutions that are typically used as a first line of defence.

“This is especially insightful for our red team, who mount deliberate attacks on our systems daily to identify and fix vulnerabilities,” Demarche said.

A two-way street

When it comes to building a safe and trusted e-commerce ecosystem, Demarche says that several factors need to come together to ensure everything runs smoothly.

“It’s a joint effort when it comes to building a safe and trusted e-commerce ecosystem. All stakeholders in the ecosystem can play a part, whether it’s the e-commerce platform, buyers, sellers or enablers,” he said.

He advises all stakeholders to pay attention to where transactions, conversations and processes take place.

For example, in the case of Lazada, all communication and processes occur on its platform and never in a third-party environment, such as a social media platform, text or instant messaging app.

“If any transaction requires users to sign up on a different website, transfer funds to an external bank account or purchase items outside of the platform’s environment, it is likely unsafe, and the sender should be reported and blocked to avoid further communication,” he said.

Generally, he feels that users should create strong passwords, enable two-factor authentication for their logins and keep a robust anti-virus application on all their devices. They should also update their devices regularly to ensure their personal information remains secure online.