From hacking into the social media accounts of his friends, to finding more than 90 security flaws for Facebook – Anand Prakash has come a long way with his love for technology and interest in ethical hacking. This is his story.
It was while preparing for his engineering entrance exams in Kota, Rajasthan that Anand Prakash first became interested in hacking. “I had a smartphone and Internet packs were very costly at that time. I came across some kind of proxy setting and figured out a way to use the Internet for free,” he says. The service provider rectified the loophole after some time when many users came to know about it. But for Anand, it was the beginning of a very eventful journey towards building a career in the field of hacking – the kind that’s ethical.
“What I do now is called security research, not hacking,” he is quick to correct.
Today, the 23-year-old is a security engineer with Flipkart, uses the Internet in a more responsible manner, and has been rewarded by many organizations for finding flaws in their software or technology setups.
Anand, who is from the town of Bhadra in Rajasthan, was always interested in computers.
“It was always the same with me. I used to score better in technical subjects, but when it came to subjects like geography, environmental studies, etc., I used to face a lot of problems,” he recalls.
As a student, Anand strengthened his newly acquired knowledge of hacking by experimenting among friends.
“I used to practice phishing on my friends’ accounts with their permission. It is the most basic process in hacking. It involves extracting information like usernames, passwords, etc., by sending out emails to the victims in a way that they will trust them enough to open the links,” he says. Getting access to the password of a friend’s Orkut account was Anand’s first hack.
After Kota, he joined Vellore Institute of Technology to pursue a course in computer science engineering. Anand continued to polish his knowledge about ethical hacking and different programming languages in college, and practiced whatever he learned among friends.
“Up till then, I only knew about hacking processes that involved using some automated tools. And that did not interest me after a point. Finding security flaws in systems is completely different from what I was doing then,” he says.
In the third year of college, Anand came to know about Facebook’s Bug Bounty Program. It offers recognition and compensation to security researchers who find vulnerabilities in Facebook and report them according to the organization’s responsible disclosure policy.
“I liked to analyse codes. And when I learnt that Facebook has given monetary compensation to someone for finding a bug in their technology, I thought of giving it a try,” he says.
He utilised the Open Web Application Security Project (OWASP), which is an initiative by OWASP Foundation for the improvement of software security in different organizations around the world. The project provides users with open source study materials to understand application security over the Internet.
“I started learning with the help of OWASP, followed experts on Twitter, and read up a lot about security research. Fortunately, I found a bug on Facebook in just a month. It was a loophole that enabled me to find people online even if they had turned off their chat,” he says. Anand received his first bounty of USD 500 for reporting this issue.
Then he learned that many such organizations welcome people who find security vulnerabilities for them. And the work turned out to be so interesting that there was no turning back for the technology enthusiast. To date, he has found about 90 bugs for Facebook, and ranks fourth in the Facebook wall of fame 2015.
The highest bounty Anand received from Facebook was a sum of USD 12,500 for finding a major security flaw because of which a user could post anything on his/her profile using someone else’s account. “For example, I could post a picture, a video, or text, and it would be visible on my Facebook wall as a post from your side,” he explains.
After college, he did an internship with the Cyber Police Investigation Branch of Gurgaon Police. There he worked on finding the different strategies used by cyber criminals.
He has also reported issues to companies like Twitter and Google and has earned Rs. 1.2 crore in the process. He was able to hack into the systems of the restaurant discovery and search application Zomato to gain access to the accounts of their 62 million users. He disclosed this issue to the company and they fixed it in two day, appreciating his efforts.
“I always first report the issue to the organization without exposing it elsewhere. It is called responsible disclosure. Then I take permission from them and post about it on my personal blog if they allow it.”
But Anand is not very happy about the way many Indian companies treat security researchers:
“Some companies are very responsive. They fix the bugs immediately and also give monetary compensation without much delay. But if you report bugs to many companies in India, they reply saying they will take legal action against you. The condition is very bad in terms of security here. But it is changing slowly. I have come across some companies that are now open to security research.”
With new technologies coming up every day, Anand’s hunger for learning keeps developing. His advice to those who want to pursue a career in security research: “Try and report bugs to companies in a responsible manner. And do not disclose the issue unless you have permission. Security research is a great thing if done ethically.”
Find out more about how he finds different bugs, here.