Anand Prakash, a product security engineer at Flipkart, wrote in a blog post on February 22 that he had found a simple vulnerability on Facebook that could have been used to hack into any user’s account to get access to credit or debit card details, personal pictures, and messages without any user interaction. The 22-year-old earned around Rs 1.3 crore just by reporting bugs for Facebook, Twitter and a host of other US-based companies. For his recent contribution, he was awarded close to Rs 10 lakh.
In an email interview with Rohan Laik of the EconomicTimes.com, Anand Prakash talks about his passion, obsession and digital expertise at 22. He also spells out his lofty ambitions that include starting work on his own to secure Indian companies.
Congratulations. Are you a seasoned bounty hunter? How did you start doing this type of error-killing?
Thank you. No, I am not a seasoned bounty hunter. I started doing this back in 2013 after completing my graduation in B.Tech. It all started with free Internet from a network operator for a year. This is an interesting field.
How did you sense such a security breach on Facebook’s part? Do you keep checking such websites for security leaks?
I keep testing Facebook (FB) on a regular basis for bugs. Yes, in general, I always keep an eye out for such websites to test security vulnerabilities.
90 bugs for Facebook and 30 for Twitter: those are no small numbers. Do you want to hunt for FB or Twitter on a regular basis? Shed some light on these bugs and the potential threat they carried. Are there any more grey areas of concern?
Yes, I hunt for bugs on Facebook and Twitter on a regular basis. One of my best finds was to know that I was capable of hacking into accounts of 1.6 billion FB users (the recent one). But as a whitehat hacker, one should never do this. I believe in making the Internet a safer place for all.
Why did you want to help websites like Facebook and Twitter? Was it curiosity, professional ability or just the bounty involved?
It had to do more about data security. Facebook has 1.6 billion users and Twitter has 320 million monthly active users. So data security was my key concern — not the bounty or professional ability.
Considering that you are a product security engineer at Flipkart, what is it about cyber security that gives you the kick? Why did made you take it up as your vocation?
It all started with a bet. One of my friends challenged me to hack (of course ethically!) his/her own Orkut account and I did this using phishing. I had no technical knowledge at that time. I won the bet at the time and interestingly, it also became the profession that I wanted to pursue.
How does it feel to be in such command over cyber security?
It is still a process of regular learning for me. I plan to absorb everything for more clarity in what I do. Every day newer practices, malice and solutions are being coined. Staying aware and up-to-date is pivotal.
Today, with the digital boom, one of the biggest concerns for all the people online is personal security. How compromised are we? Are our actions actually being monitored round the clock?
The majority of Indian startups don’t care about security. An example is the Zomato hack where one could see the personal data of 63 million users. The company should never compromise with user data and should have adequate security measures to avoid such breaches.
Indian Startups are vulnerable. I suggest users ask the CTOs/CEOs if they really have a security team of their own. All startups must have a security page on the website. I personally don’t think that actions are monitored.
What are the safety measures regular users should ascertain at a personal level? How are we making ourselves more prone to cybercrime on a regular basis?
a) Always make sure you type your credentials over https.
b) People should actually ask the company if they have an in-house security team. Making HTTPs also doesn’t make sure your data is safe and secure. There are application level attacks such as SQL injection which can be used to extract users’ data.
What is the bigger picture of cyber security in general, the way you look at it? What are the imminent problems and solutions?
VCs should force companies to take care of the customer database. Proactive security is not just essential, it is mandatory. Consultancy companies are not good enough to secure these websites and there are glaring loopholes as a result. Companies should have in-house security teams of their own to avoid circumstances where hackers can have it easy.
‘You could have hacked all FB accounts’ like your blog says. You chose to be on the green side of things but were you ever tempted to set a foot on the red end?
No never, the sense of making something secure gives me the kick not to misuse my own abilities to jeopardize.
Has fixing bugs/defect/ issues become routine work for you or does it offer a kick every time you scavenge for some new threat and try to tame it?
I don’t fix them, I find the bugs. It gives me great pleasure to do it and never does a sense of boredom creep in.
What do you do when you are not spotting bugs?
I work as the full-time security engineer at Flipkart. Personally, for me, it is the best place to work in the country.
Who are your favourite tech writers?
I enjoy reading Aditya Bhushan Dwivedi of YourStory and Matt Navarra of THE NEXT WEB.
What does your bug-detecting arsenal comprise? What system do you use?
I use Mac OS and Burp Suite.
Do you create your own tools or use existing ones? And what is your language of preference?
There are no tools involved as such. I use an intercepting proxy known as Burp Suite (the best friend of all hackers).
Have you ever got in touch with Mark Zuckerberg or Jack Dorsey personally?
No, not yet. But I look forward to.
How much are you worth now?
I have earned something around Rs 1.3 crore. I am planning to start something of my own soon – which won’t be just another security consultancy firm – and hopefully help Indian companies become more secure.