Indian hackers who debugged Facebook, Netflix, Airbnb, Paypal – Quartz India
Until now, being a technician in India has been synonymous with being a coder or a developer. But not anymore.
Ethical hacking has now become a lucrative career path for engineers across the country.
Laxman Muthiyah, a 26-year-old independent security researcher based in Chennai, has made $ 62,000 (Rs44 lakh) over the past five years by finding security holes in Facebook and its Instagram photo-sharing app. In March of this year Rohit Kumar, a sophomore at Lovely Professional University (LPU), was inducted into the Facebook Hall of Fame for being among the top 20 insect bounty hunters of 2018.
In 2018, Indian hackers claimed the second largest share of bounties in the world, after the United States, according to cybersecurity firm HackerOne.
Quartz spoke to three ethical hackers: Sandeep Singh, a 25-year-old security analyst at HackerOne; 23 years Shivam Vashisht, who dropped out of mining engineering at the National Institute of Technology (NIT), Raipur, in second year; and Harsh Jaiswal, 21, who works by day as a security engineer at food technology company Zomato and hacker by night.
How did you come to hacking and when did it become a profession?
Singh: It all started when I followed a friend’s suggestion to take some ethical hacking training. I had been hacking for three years when I discovered bug bounties.
Jaiswal: I have a love for computer games. So I used to search for hacks for games which led me to a lot of websites trying to trick me into filling in my Facebook / Google passwords. That’s when I heard about phishing attacks. By the time I got my first Medium award, it made me realize it was cool. If it allows you to learn and win together, why not make a career out of it?
Why do you prefer hacking to a traditional developer job?
Vashisht: In a traditional, low-paying developer job, I would just scratch the surface with some technology and work to develop things without having the big picture in mind. With hacking I can explore a lot more and the result is powerful.
What platforms have you hacked into?
Singh: I used to hack on Airbnb, Facebook and most of the others are private companies so I can’t reveal their names.
Vashisht: Some of my favorites are Yahoo !, MasterCard, Netflix, and Okta. They have very welcoming security teams. I also work privately with well-known billion dollar companies that I am not allowed to name publicly.
Jaiswal: If I had to pick a few, it would be Vimeo, PayPal, and Linode. They have a great response time, they appreciate my efforts, and of course, they reward well. It’s always motivating when all of these boxes are checked.
Can you give some specific examples of the biggest threats you helped diagnose / solve?
Vashisht: One was at an online recruiting company based in the United States. I found a loophole that disclosed each user’s private information, which, if used maliciously, could have been used to lock or encrypt all data. For the fully locked down admin panel of a US based music company, I was able to inject SQL queries that could have been used to download all of their users’ data, log into the admin panel, and gain full access to the file system of their servers.
Jaiswal: I have helped uncover tons of security vulnerabilities which include, but not limited to, data breaches where private information of all users of this product could have been disclosed, and authentication bypasses , where we could have accessed user accounts.
How to earn money: bonuses or salaries?
Vashisht: My only source of income is bonuses. It has increased for me every year. In 2018, I earned around $ 125,000 (Rs90 lakh).
Jaiswal: This is very subjective, but if I am to give an average bug bounty income it should be around $ 40,000 to $ 60,000 per year. It can be a lot more depending on how many hours and effort you put in and what kind of bugs and programs you’re focusing on.
Previously (my income) was just bonuses, but now salary plays a role as well. Salaries are constant. When it comes to bonuses, there is burnout. There will be a period when you start to feel exhausted and you need a good rest to come back stronger.
What is the highest amount you have ever been paid for a hack? Please describe what it was.
Singh: $ 6,000 from a private company to access the company’s internal sign, which was not supposed to be accessible to anyone from the outside.
Vashisht: I was paid $ 11,500 for a bug in Yahoo !. I was able to steal a user’s account cookies by using one of their servers to inject malicious code which resulted in a complete takeover of the account i.e. allowing the attacker read all Yahoo! The content of the email and could be used to further compromise associated accounts such as Facebook. The server was shut down a few hours after the flaw was corrected.
Jaiswal: I was paid $ 30,000 from PayPal for executing arbitrary operating system commands on PayPal’s server. I had collaborated with a friend for this hack. My highest paid individual bug was $ 20,000, again from PayPal, for figuring out a way to steal access tokens from other users who might have given me access to their accounts.
How is the hacker community in India?
Vashisht: The Indian hacker community is the largest in the world. (The country is home to 27% of all hackers in the world.) You can see hackers from almost all parts of India. In terms of gender, men are dominant at the moment, but this community is quite open and I see a lot of women joining us. In the years to come, that is sure to change as awareness of careers related to information security increases.
Jaiswal: I have friends in information security from all over India. There are people who are not financially strong and there are people who are. I’ve seen people support their families financially with bug bounties, which is really cool.
Where do you see yourself in 10 years? What is the future of this profession?
Singh: Personally, I hope I will relax and live a peaceful life in a corner of India near the mountains and nature. Bug Bounty has a very bright future and is one of the best career paths for skilled guys who want to live independent lives on their own terms.
Vashisht: I would probably like to invest some time to do some research. It is a lesser known profession and has tons of potential, most of these jobs in companies around the world are vacant.
Jaiswal: I think we have to take it step by step. I’m inspired by Tsai orange, File descriptor, Francois‘research and aim to do good research like them in the future and contribute to the community. As for the future, remember, “Data is the new oil. Everything is happening online, so the cybersecurity industry is only going to explode. In addition, with the entry into force of new security laws like the GDPR, the future only gets better.