Meet Ehraz Ahmed, a 24-year-old, independent data security researcher from Mysuru, Karnataka, who since last year has protected the data of 700 million users by helping companies like Airtel, Justdial and Truecaller detect major flaws in their data security architecture. Simultaneously, he runs a fintech and a web security company.
What’s particularly remarkable about this first-year engineering college dropout is that he learnt all the necessary skills not through formal courses, but research on Google. A real online prodigy, Ehraz is looking to protect the data of 1 billion users by the end of this year. So, how did this ethical hacker and serial entrepreneur get to where he is today?
“I began using computers when I was just 10. I remember accompanying my brother to the local cyber cafe paying Rs 30 an hour and playing games like Counter Strike or browsing the internet. Besides playing games, I was exploring different facets of the online world from social media sites like Orkut to finding ways of building a website because my elder brother was a web developer. I would peek into the source code of the websites he built and try to learn things independently through Google. Whatever I have learnt about computers, web security and the online world is through Google,” Ehraz tells The Better India.
It was while playing Counter Strike with his friends when Ehraz found his first opportunity at entrepreneurship. Understanding the craze for the game amongst his friends, at age 14 Ehraz started a game server hosting venture. However, besides providing online gaming servers for players to connect and play the game for just Rs 200 per player, his venture also began offering web hosting services to different websites.
The reason he ventured into the world of entrepreneurship this early was because of a few tragedies in his life. As an 8th grader, he recalls witnessing his brother meet with a serious road accident. Two years later, his father suffered a heart attack.
“My interest in my venture had dimmed after my father’s heart attack. I lost interest in my studies as well. That’s when I put everything on hold to make a fresh start. I wanted to stand on my own feet by doing something better and more significant than what I was doing. These incidents made me realise the value of time and money. Life is short and there is so much left to do not just for yourself but others as well. Nonetheless, by this time, I had grown into a competent web developer, picked up real-life entrepreneurial skills and began understanding some of the basic nuances of data security,” he recalls.
Meanwhile, by the early 2010s, discussions surrounding data security in the online world had begun to take off in India. One day during high school, he read a post on Facebook by a security researcher who was listed in Google’s Hall of Fame for finding a flaw. This researcher was even paid for it. This inspired him to learn how he could do the same.
That’s when he began targeting companies that offered bug bounties to hackers who would help them find flaws in their data security architecture. By the age of 16, Ehraz got listed in 50 Security Researcher’s Hall of Fame for finding security breaches in companies like Facebook, Microsoft, Apple, Adobe, Blackberry, Soundcloud, and EBay. These Halls of Fame are listings compiled by major tech companies of online security researchers who helped find these flaws.
Besides recognition and a certificate, there was monetary compensation involved which depended on the magnitude of the flaw found. In India, however, he observes that the concept of bug bounties are still very new and not many companies operating here have that facility for freelance security researchers.
His first hall of fame listing was on Facebook, where he discovered a cross-site scripting vulnerability that could have allowed attackers to steal a user’s browser cookies. With this, any hacker could log in to a user’s account without a password and users are vulnerable to extortion and blackmail.
“Although I was good at finding security flaws, I was not making enough money from it. Not all companies offer bug bounty programs, while only a few provide monetary rewards. But most of them do acknowledge your efforts in finding that flaw,” he says.
Looking for ways to make money, one day he found someone trading in the financial markets talking about making money in a Facebook post. It piqued his interest and he began exploring this field. Ehraz admits that it took him a while to figure out how it all works because he was sifting through hundreds of blogs.
“It wasn’t the most efficient way of learning, but I wasn’t interested in studying courses. My interest lay in obtaining that raw information about how to navigate this world. In the initial years, I lost a lot of money trading from my brother’s account. Since I was still under 18 during my PUC days, I couldn’t really open my own trading account,” he recalls.
By the time he enrolled into an engineering college at the age of 20, in Mandya, to pursue a course in computer science engineering, he started a fintech company called Voxy Wealth Management that engaged in offering financial advice and analytic services to traders and other consumers who wanted to manage their stock portfolios.
But travelling 80 km up and down from Mysuru to Mandya everyday, attending classes and running a fintech company was becoming very stressful. Although he finished his first semester with good marks, when the time came to enroll for the second semester, he began questioning why he was studying these heavy theoretical courses.
“What am I learning all this for? Completing these courses felt like climbing a mountain, reaching the top and then seeing nothing. I had already begun earning money through my company. Meanwhile, I was already getting job offers because of the work I had done detecting security flaws across different websites. I eventually figured out engineering college wasn’t meant for me and before the second semester in 2017, I decided to drop out to start a web security company as well,” says Ehraz.
After launching Voxy Wealth Management, he started Aspirehive—a web security company that offers solutions for small and medium-sized companies—in December 2017.
Unfortunately, as he was making his way simultaneously in the world of financial markets and web security, another tragedy struck home.
In April 2018, his elder brother met with another road accident. He suffered an injury and upon recovery, his brother expressed a desire to start a company together. Following this conversation, he began work on launching a new company called StackNexo.
The premise for StackNexo is to offer all web services and solutions on a single platform. He describes it like an Amazon for users wanting to start their own website.
“We seek to provide all necessary services for starting your own website on one platform instead of compelling you to visit different websites for domain services, hosting services, etc. This is for entrepreneurs or users looking to start their own website without the necessary IT expertise. I have partnered with 20 companies like Stackpath, Cloudflare and Google to integrate their services on our web platform. I have spent over a year developing this platform and our plan is to launch the company in two months,” he says.
Protecting people’s data
While working on all these companies, Ehraz also began reading news of major data breaches in Indian companies last year. Using his expertise, he decided to help.
His work commenced in August 2019, and by December he had safeguarded user data of over 700 million users. In Airtel, for example, which is India’s second-largest telecom network, Ehraz had found a security flaw that could have allowed hackers to steal sensitive data of 320 million users. By December, he had discovered and reported data breaches to 10 companies, including Truecaller, Justdial and Nykaa.
By the end of this year, his objective is to protect the data security of 1 billion users. His work in this regard hasn’t stopped. Most recently, he detected and reported a major security flaw in a company called Thrillophilia that risked sensitive data of 2 million users.
“We don’t fix data breaches, but find them, report and notify the said company via email. With Airtel, for example, I began scanning their My Airtel app. I found a very simple flaw in the their application programming interface (API), which hackers could exploit to gain access into users’ personal data (address, location, IMEI, sex) through their mobile number. It took me just 15 minutes to find this flaw and access all this confidential data. Honestly, I was shocked to find such a basic flaw. Moreover, I am an Airtel user and it scared me how vulnerable their data was to this breach. With a user’s IMEI number, hackers can organise spear phishing attacks into your system using just a simple SMS,” he says.
With Truecaller, he had found a vulnerability on the app’s backend attached to the user’s profile picture. With this breach, if a user is trying to find out about who’s calling from an unknown number, a hacker could mine their location, figure out their IP address and their identity. As a result of this breach, nearly 150 million users were at risk here. Another major Indian company he assisted was Justdial, which has over 165 million users.
Through the breach he detected, hackers could log into a user’s Justdial account, access their JD pay (their payment gateway) and divert payments away from a particular merchant into another account. He approached the company and got this major flaw fixed.
Most small companies/startups, he believes, don’t focus on data security, and instead look towards getting the venture off the ground and earning all the money back that was invested. But these breaches are not restricted to small startups.
Just a couple of weeks ago, Big Basket suffered a major data breach.
“Government must make data security auditing mandatory. Secondly, we don’t have the legal architecture in place for independent security researchers like me to disclose to companies about major flaws in their data security. Indian companies, particularly the major ones, don’t have a responsible disclosure policy in place. Without such a policy, companies get intimidated when we find flaws and begin questioning us even though our intentions are good. There are no laws to govern and protect security researchers like us. International companies, meanwhile, are a lot more accessible and we can easily help them find flaws without any threat of a blowback. Indian companies have to start promoting bug bounty programs so that independent researchers can help them find flaws,” he says.
After all, there isn’t a bigger commodity out there than user data.
(Edited by Yoshita Rao)