Story highlights:
- Anand Prakash has received more than Rs. 2 crore in bug bounty payouts from Facebook,
Uber, Salesforce, Souq.com, and Twitter. - He has launched a new platform for responsible disclosure for bug bounty hunters in Asia.
- High-profile Indian tech startups such as Swiggy, Zoomcar, Oyo Rooms, Jugnoo, Toppr, and Freshmenu have signed up to the platform.
Anand Prakash just turned 24, and he is already way richer than most people in his cohort. One of India’s highest-paid bug bounty hunters and a gig economy hero, Prakash’s life revolves around getting payouts from tech companies for responsibly disclosing exploits and vulnerabilities on their websites and/or software products. A self-professed former “script kiddie”, he’s currently at the top of the talent pool, with a podium finish on Facebook’s Whitehat page in 2016 and 2014. He’s also had large payouts from Twitter and Uber for responsibly disclosing vulnerabilities in their software and websites.
Prakash came down to the FactorDaily office in Bengaluru, where we spoke to him about his journey to where he is now and the formative experiences that shaped his life. He told us about the tools of his trade, white hat hacker ethics, his new startup (Appsecure India), and his plans for creating a home-grown bug bounty platform comparable to HackerOne.
From script kiddie to a white hat wizard
Teach a boy to phish, and he’ll pwn you. Prakash’s interest in what happens under the hood — under the shiny UX of a website — started in his teens.
Schooled in Bhadra, Rajasthan, Prakash had just moved to Kota to prepare for his B Tech entrance exams in 2008. One of his friends challenged him to hack his Orkut account (yes, we didn’t have Facebook then). So, he did what most of us do now when presented with a new challenge — he asked Google.
“After that incident, I got much more into this stuff. Into tricks, not real hacking, only into the script kiddie thingie”
– Anand Prakash
He had a Pentium III PC at the time. A Google search led him to a 15-step tutorial that showed him how it could be done. “It was simply a phishing page creation. To host your fake page, simply copy the source code, and host it somewhere else,” he says. He managed to get his friend to open the fake Orkut login page, and successfully captured his username and password.
Phishing is a simple social engineering technique wherein a hacker intercepts login and credit card details through fake websites. It’s blatantly obvious to anyone who hawkishly scans the address tab on the web browser, but surprisingly effective with noobs.
“After that incident, I got much more into this stuff. Into tricks, not real hacking, only into the script kiddie thingie,” says Prakash.
His other big exploit during his teens was being able to access free internet through his Nokia 6600 handset. “I found a few steps, a proxy or something, some random IP address, and I was able to successfully use the internet for free for somewhere around 10 to 11 months,” he says.
One of Prakash’s big turning points was getting a computer science admission at VIT (Vellore Institute of Technology) University, Chennai, in 2010. He started learning computer languages PHP and Javascript there. “I knew all these languages very well in my college days,” he says. “So, instead of following 10 steps (as in the Orkut account hack), I knew what actually happened, and what was the hack. What was the code that captured the password, for example. I started learning the basics of hacking. And then I started to move into other areas, such as web application security,” he adds.
Prakash put his skills to use while in college — working as a freelancer, reporting security bugs to companies. For someone who used to survive on a budget of Rs 3,000 a month at the time, his payouts, which ranged from Rs 30,000-100,000, were huge. “I used to pay my college fees after that,” he says.
His big ticket bug bounties
Fast forward to adult life and work: Prakash did a two-and-a-half year stint at Flipkart, working as a security engineer in 2014-2016. His biggest payouts came from Facebook during that period. “One of my biggest Facebook bounties was the account takeover bug, which was very famous, where you go to beta.facebook.com and set a new password for someone else’s account,” he says. As detailed on his blog, he was able to successfully run a brute-force login attack on his own account.
“You need to be intelligent in selecting the type of application, and the attack as well.”
– Anand Prakash
In a brute-force attack, a hacker tries many passwords with the hope of eventually guessing the correct one. He discovered that Facebook had left out rate limiting on their ‘forgot password’ endpoints on beta.facebook.com and basic.beta.facebook.com. This particular bug took him just 15-20 minutes to discover, and he was paid $15,000 for the disclosure.
“But saying that is not always true. There are days when I am looking for security bugs for three days, and there is none to be found,” says Prakash. “You need to be intelligent in selecting the type of application, and the attack as well. I never thought Facebook would miss rate-limiting, but the extra thing that I thought of was to try the same thing on a subdomain, and that worked.”
In another disclosure to Facebook, which netted him a $12,500 bounty, he found an exploit in the ‘Say Thanks’ page, which allowed him to post from anyone’s profile. Apart from Facebook his biggest payouts have come from Uber, Salesforce, Souq.com, and Twitter, he says.
The tools of his trade
Prakash uses a 12-inch Macbook, which we noticed had its CTRL and Shift keys worn out due to overuse. On the software side, he uses Burp Suite, a web application security testing toolkit.
“This is the tool that most bounty hunters use. All the companies that are running bounty programmes already have automated tools and security teams in place. We need to be one step ahead of them,” he says.
His most-used tool is Burp Suite. “It’s an intercepting proxy,” he says. “So when you browse something from your phone, or from your laptop, or from your browser, we try to modify and intercept web traffic by setting the proxy, and play with the requests which are going in and out from the client to the server,” Prakash says.
He further explains how he used Burp Suite in his recent Uber free ride bug. “I simply captured all the requests going from my mobile device to the server using my PC. I changed the payment method over there, and figured out I could have used it for free rides,” he says.
On bug bounty ethics
He worked with Haryana Police as a cybersecurity intern for a couple of months in 2013, which he considers a formative experience. “The internship was very important for me, as I learnt a lot of ethics around things. How do you responsibly disclose issues to companies in an ethical way instead of straight away sending data to them and asking for a bug bounty. What can happen if you don’t follow the ethics part, he says, adding you will end up in jail in that case.
The Zomato data breach that took place in May was an interesting talking point on white hat ethics. While the hacker eventually agreed to take down Zomato’s data dump, which contained details of 17 million users, Prakash says if a company doesn’t pay bug bounties, leaking its data as a retaliatory measure and strong-arming it to issue a bug bounty program is highly unethical.
“While Zomato didn’t have a bug bounty program, it was running its responsible disclosure page. We hackers appreciate that it is a very good thing to at least run a responsible disclosure page,” he says.
His new venture — a platform for responsible disclosure
A year ago, Prakash launched his startup, App Secure. It’s a bootstrapped company at this point, run by a seven-person team. “Most security consultancies use tools to generate a pentest (penetration testing) report, and submit it to companies. We do red teaming,” he says, explaining what AppSecure does. “Red teaming” is a form of ethical penetration testing in which a group of hackers try to gain access to a company’s systems with the mindset of an external attacker.
“Whenever some breach happens, a few additional requests come to me, related to how to secure their site or something like that.”
– Anand Prakash
“Whenever some breach happens, a few additional requests come to me, related to how to secure their site or something like that. Even after the Zomato hack, I’ve seen a lot of traction for our bug bounty platform, to prepare for such an event. We emailed them two years back, but now they are coming back to us,” he says.
Prakash adds that they’re not looking to raise funds right now and are trying things on their own. “I think we are doing good,” he says.
He also showed us a rough cut of his bug bounty platform (hackerhive.io). Hackerhive is a platform that lets startups set up a public responsible disclosure page within minutes. He agrees that it’s a comparable to HackerOne, but adds that the focus is more on Asian startups. Other startups in the crowdsourced vulnerability testing space include Bugcrowd and Synack.
The official launch for the platform is slated for Monday, August 7. “You can go to our site, create a responsible disclosure policy page for free, and add it to the footer of your website. Using the Hackerhive platform, one can effectively manage the coordination of vulnerabilities,” he says.
Although it’s still early days for Hackerhive, a bunch of high-profile Indian tech startups have already signed on the platform — including Swiggy, Zoomcar, Oyo Rooms, Jugnoo, Toppr, and Freshmenu. As for infosec talent, Prakash has managed to rope in more than 50 ethical hackers on the platform so far. He hopes that building one’s profile and ranking high on the leaderboard will encourage ethical hackers to join the platform.
“It may work in India, but Indian companies are still inclined towards traditional security consultancy testing,” says Pranav Hivarekar, a security researcher who held a top 10 spot on Facebook’s Whitehat page in 2016 and 2017. “Attracting groups of skilled hackers requires you to pay handsome amounts, which Indian companies cannot pay, unlike giants such as Facebook, Google, Microsoft or any other US/European company,” he says.
In terms of bench strength, India certainly seems to have it in droves. It is the top country in terms of Facebook payouts, according to an update on payouts by Joey Tyson, former security engineer on the Facebook bug bounty team.
“India is really growing in terms of security research. Many of our Indian researchers are presenting their research at leading security conferences like BlackHat, Defcon, Appsec,” says Archita Aparichita, a former bug bounty hunter, and a senior software engineer at Philips in Bangalore.
“It’s because of their technical prowess. Most of the bounty hunters are doing their BTech, or are doing engineering. They are curious to learn more. Then there’s obviously the money involved — whatever a US company pays, it is multiplied by 60 or more,” Prakash says.
While Indian startups are notoriously bad when it comes to bug bounty payouts, Prakash hopes that with time, they will develop the understanding that paying bounties is a good way to attract hackers, and find bugs. “Swiggy is giving us rewards on the platform right now, starting at Rs 1,000, with no ceiling on payouts, based on the severity of the bug,” he says.