A Man of Action: Meet Callum Carney

Hidden Talents: He was a competitive swimmer for many years.

Instrument of Choice: His fingers were made for the keyboard, but he used to play the trumpet.

5 pieces of entertainment for the rest of his life: The Office, World War Z, The Matrix, Breaking Bad, The Thick of It.

Favorite non-profit: RSPCA

How he takes his tea: Through his mouth

Superpower: Doesn’t suffer from hangovers

The first thing you should know about Callum Carney is that he doesn’t like talking about himself. Shy? Not necessarily. Quick witted and charming? Yes. However, Callum is best understood through his actions, rather than his words. Callum is just 23 years old and a budding security research prodigy. At a young age he has achieved great success finding bugs in organizations like Microsoft, Spotify, and Google. While he would never toot his own horn, Callum has made monumental contributions in protecting the cloud and has quickly gained a reputation with plenty of accolades to show for it.

Callum was a young, inquisitive boy with a high interest in computers when his Habbo account was hacked. Someone stole his coins, and he was left irritated, but curious as to how it happened (he fully admits this was his fault since his password was Callum123). This little seed of injustice would grow within him as his passion for computers expanded too. Throughout his school years, he recalls spending more time fixing other people’s computers than learning in the classroom.

Early on he stumbled upon a live stream demonstrating Cross-Site Scripting (XSS) which piqued his interest. His hacking aspirations became a reality at the first sight of a pop-up alert on screen saying, “You’ve been hacked!!!”

From that moment I was hooked. I’ve never actually been able to come off this rush. Security research is addictive.

One time in a college computer class Callum was tinkering around on his laptop during a lesson. Bored, but still as curious as ever, Callum began trying to hack the lesson websites domain. He ended up finding a devastating bug and reported it under the guise of anonymity in hopes of avoiding an awkward encounter down the road. However, he forgot to update the shared URL which ended up exposing he was a student at the college. At this point he was just 16. As he put it, there are bound to be small mistakes when you’re starting out, right? Unbeknownst to him, the company hosting the affected website was a subsidiary of the college. Their team replied asking for him to meet to discuss his findings. After much deliberation (even with his mother) and fears of great repercussions, he accepted the meeting. To his good fortune, he was not arrested (ethical hacking is still a gray area in the UK). Instead, the company had the foresight to take a risk. They offered him a position within the company and Callum has been a part of their team for six years now!  

When he isn’t working his day job, Callum moonlights as a security researcher. This is where his work speaks for itself. As a multi-year Microsoft Most Valuable Researcher (MVR) Callum’s reputation cannot be ignored. Whilst he didn’t set out to hunt for vulnerabilities for big tech, he is proud of his impact.

I see the whole community and what this space is, as the last line of defense. Inside large companies there are a lot of processes, and smart people who develop them. It’s up to us to check and make sure there is nothing left over. And it’s our job to find it. I see it as the last line for cyber security.

When it comes to guiding the next generation of researchers, Callum strongly believes this field is for anybody, and there is no better time to get in on the action than right now.

The number of resources available to learn about security is always growing. In my opinion it’s great to learn by reading previously disclosed issues and getting hands-on with applications in the real world by finding vulnerabilities to report in organizations that have defined security policies.

Callum stressed not to get demotivated if you aren’t successful immediately. Rather, he suggested that whatever you’re testing is made by humans and humans make mistakes. Keep on pushing, but don’t get burned out. Some of his favorite bugs to find are the ones where the general user is none the wiser. Take for example the time he was robbed of his coins as a kid playing Habbo. He would have liked to be the person who figured out you could steal from others, fix it, and the user would have no clue there was even a threat. The same concept applies to his larger bug bounties.

Stop doubting what you’re doing or coming up with reasons not to do something. Give it a go.

Despite not caring to share too many words about himself, he is quite witty, and quick with comebacks which brings out a sort of endearing quality about who he is deep down. Fellow researcher Wouter (@wtm_offensi) is happy to tell us what he thinks of Callum. “Callum and I met in person for the first time about four years ago. This was at an invite-only bug bounty event where he gave an impressive talk about some of his bug hunting findings and experiences.  During that event and the events that followed in the years after, I got to know Callum as a young yet skilled researcher who is not only great fun to be around (who doesn’t like a good sense of British humor) but also knows when to work hard to deliver high impact bugs that get the job done. After working together and sharing our insights at some undisclosed hacking event we kept in touch online to share ideas on some of our findings. Sharing information with other researchers is not always the easiest thing to do, since most of us rely on bugs as a (main) source of income, yet Callum is always willing to help think things over as a sparring partner. Nowadays we occasionally collaborate on research related to Azure, to help each other forward and make the hunt for bugs more fun. Callum always seems to be able to find targets that are exciting to work on, e.g., potential targets. I’m a big fan of the man himself and his work.”

Like WTM, we are huge fans of Callum (@callum_infosec) and we cannot thank him enough for his amazing research and partnership with MSRC! Thank you for your contributions that help secure Microsoft customers.