Sunday, February 21, 2016
Jaswinder Singh Kainaur
Engineer Sh. Anand
Prakash Earned Rs. 1.2 Crore from
Finding Software Bugs in Facebook, Twitter &
Zomato
From hacking into
the social media accounts of his friends, to finding more than
90 security flaws for Facebook – Anand Prakash has come a long way
with his love for technology and interest in ethical hacking. This is his
story.
It was while
preparing for his engineering entrance exams in Kota, Rajasthan that Anand
Prakash first became interested in hacking. “I had a smart phone
and Internet packs were very costly at that time. I came across some
kind of proxy setting and figured out a way to use the Internet for
free,” he says. The service provider rectified the loophole after some time
when many users came to know about it. But for Anand, it was the beginning of a
very eventful journey towards building a career in the field of hacking – the
kind that’s ethical.
The information
given by him is mentioning in italics in this article.
“What
I do now is called security research, not hacking,” he is quick to
correct.
Today,
the 23-year-old is a security engineer with Flipkart, uses
the Internet in a more responsible manner, and has been rewarded
by many organizations for finding flaws in their software or technology
setups.
Anand, who is from
the town of Bhadra in Rajasthan, was always interested in computers.
“It
was always the same with me. I used to score better in technical subjects, but
when it came to subjects like geography, environmental studies, etc., I used to
face a lot of problems,” he recalls.
As a student,
Anand strengthened his newly acquired knowledge of hacking by experimenting
among friends.
“I
used to practice phishing on my friends’ accounts with their permission. It is
the most basic process in hacking. It involves extracting information like
usernames, passwords, etc., by sending out emails to the victims in a way that
they will trust them enough to open the links,” he says. Getting access to the
password of a friend’s Orkut account was Anand’s first hack.
After Kota, he
joined Vellore Institute of Technology to pursue a course in computer science
engineering. Anand continued to polish his knowledge about ethical
hacking and different programming languages in college, and practiced
whatever he learned among friends.
“Up
till then, I only knew about hacking processes that involved using some
automated tools. And that did not interest me after a point.
Finding security flaws in systems is completely different from what I
was doing then,” he says.
In the third year
of college, Anand came to know about Facebook’s Bug Bounty Program. It offers
recognition and compensation to security researchers who find
vulnerabilities in Facebook and report them according to the organization’s
responsible disclosure policy.
By
then, Anand was well-versed in languages like PHP, JavaScript, etc.
“I
liked to analyse codes. And when I learnt that Facebook has given monetary
compensation to someone for finding a bug in their technology, I thought of
giving it a try,” he says.
He utilised the
Open Web Application Security Project (OWASP), which is an initiative
by OWASP Foundation for the improvement of software security in
different organizations around the world. The project provides users with open
source study materials to understand application security over
the Internet.
“I
started learning with the help of OWASP, followed experts on Twitter, and read
up a lot about security research. Fortunately, I found a bug on
Facebook in just a month. It was a loophole that enabled me to find people
online even if they had turned off their chat,” he says. Anand received his
first bounty of USD 500 for reporting this issue.
Then he learned
that many such organizations welcome people who
find security vulnerabilities for them. And the work turned out to be
so interesting that there was no turning back for the technology enthusiast. To
date, he has found about 90 bugs for Facebook, and ranks fourth in
the Facebook wall of fame 2015.
The highest bounty
Anand received from Facebook was a sum of USD 12,500 for finding a
major security flaw because of which a user could post anything on
his/her profile using someone else’s account. “For example, I could post a
picture, a video, or text, and it would be visible on my Facebook wall as
a post from your side,” he explains.
After
college, he did an internship with the Cyber Police Investigation Branch of
Gurgaon Police. There he worked on finding the different strategies used by
cyber criminals.
He has also reported issues to companies like Twitter and
Google and has earned Rs. 1.2 crore in the process. He was able to hack into
the systems of the restaurant discovery and search application Zomato to gain
access to the accounts of their 62 million users. He disclosed this issue to
the company and they fixed it in two day, appreciating his efforts.
“I always first report the issue to the organization without
exposing it elsewhere. It is called responsible disclosure. Then I take
permission from them and post about it on my personal blog if they allow it.”
But Anand is not very happy about the way many Indian
companies treat security researchers:
“Some
companies are very responsive. They fix the bugs immediately and also give
monetary compensation without much delay. But if you report bugs to many
companies in India, they reply saying they will take legal action against you.
The condition is very bad in terms of security here. But it is
changing slowly. I have come across some companies that are now open
to security research.”
With new
technologies coming up every day, Anand’s hunger for learning keeps developing.
His advice to those who want to pursue a career in security research:
“Try and report bugs to companies in a responsible manner. And do not disclose
the issue unless you have permission. Security research is a great
thing if done ethically.”
-----------------------------------------------------------------------
Subscribe to:
Posts (Atom)