The term 'hacker' generally throws people off. But contrary to what many think, not all hackers are bad. In fact, their services can be quite useful when it comes to spotting bugs & vulnerable data and helping upgrade security.
Meet Kanishk Sajnani. In is own words, he is a 20-something guy with no professional expertise, who hacks ethically, looks for no personal gains and believes that hackers should be rewarded for their positive contribution.
Kanishk recently wrote an article in Medium that states his experience of being an ethical hacker. He talks about how he spotted bugs in different booking portals like Air India. While browsing through the site, he found what was a 'major vulnerability' in their ticketing system.
The same would've allowed him to book a ticket for relatively no amount to anywhere in the world. However, instead of taking advantage of it, he brought it to the attention of Air India via email.
He had sent the email on 4th November, 2015. Almost a week later, on the 12th, he received a phone call.
Received an unexpected phone call from their Manager (Finance) on 12th Nov 15'. He asked me to prove if such a vulnerability existed & Oh boy! Did I?In response to the call, he used the portal to book a ticket to San Francisco for just ₹1. Imagine that! Being debited a single rupee and getting the privilege to fly to USA. He could have done that if he wanted to. But his reason for hacking was ethical and as part of POC (proof of concept). He also sent a video for the same and a confirmation email of the ticket he had booked.
Air India were extremely grateful to him and even offered the internship he wanted. Kanishk did not take it up though.
A few days before this episode, he had booked a ticket to Goa using the SpiceJet app. The ticket was worth ₹4028, but he only paid ₹4. Again, like he did with Air India, he brought this thing to SpiceJet's notice as well and told them the loopholes in their app. While he was clear on how he wanted to help them out, their reply seemed extremely confusing.
I decided to drop a mail to some senior Official. Shockingly, I wasn’t even able to find out the email addresses of their CEO or CTO or CMO. All I could manage to find were these ( custrelations-nodalofficer & [email protected]) With no choice left, I sent a similar email ( like one to Air India) to SpiceJet too. Their reply baffled me.Their reply:
He even exchanged mails with their GM, Mr Pradeep Shah, who asked him to forward the other mails that contained details of the problem. Kanishk obliged and this is what he got in reply.
They sent me our previous correspondence in a .eml type file attached *Double Facepalm * This time the mail was signed by their Nodal Officer. Either they didn’t understand the point I made Or they didn’t like to acknowledge the fact that their security was compromised.
He eventually cancelled the ticket himself and later also found out that he was up for a refund of ₹2000. Basically suggesting that no one had detected these glitches in the payment system.
The next portal that he found to be extremely vulnerable was Cleartrip. An App he could have used not just to book flights, but 'hotels, trains, restaurant dates, massages, cultural events, sport activities.'
But he decided to bring it to the attention of the company and sent them a mail.
He soon got a reply from their head of infrastructure and security, asking him to discuss all of it over phone. But Kanishk refused to do that.
Never have such conversations over the phone. A written correspondence is must ( You’ll have proof in case something goes wrong) I made an excuse & asked him to continue over here or on Facebook.
Neeraj Nayan, the man in question, replied saying that he was fine with chatting over emails and that the company was also up for giving Kanishk a reward if his claims were proven.
And so, that is what Kanishk did.
He did not just book a day at the spa, but even got a refund for something he never really paid for!
Neeraj mailed Kanishk saying that they were validating his claims. But a month into the entire scenario, there was no further correspondence. He even mailed the co-founders, making them aware of the situation.
But to no avail. His efforts went unrewarded and unacknowledged.
He had the power to travel the world for free and no one would've even noticed. But his prime concern has been the security of these portals and preventing misuse that can lead to huge losses to these companies. Some acknowledged his efforts, some did not.
What I’ve learnt from my Experiences?
- Indian Companies don’t pay the attention required for security of their Products.
- No Application/Website is entirely secure. Chances are, maybe someone is already exploiting the bugs right under their nose.
- The only way they understand the Importance of Bug Bounty Programmes is through Public Humiliation. Damage control is obligatory once you get hacked. Best Example - Ola Cabs
- Ethical Hacking is rarely appreciated.
- The process of Resolution usually takes a lot of time here. I remember submitting a vulnerability to Mobikwik through their Official Programme. I was just able to Brute Force the OTP during Account Creation. They took like five weeks to get it over with & rewarded me with a sum of 2k ₹.
Full disclosure? I did order a Free Biryani couple of times 😆What surprised me was the fact that no-one from the store manager to delivery boy realised that they were being duped. The first time, I paid in cash after explaining them everything. The second time was a test & they failed again. I could’ve eaten more like a 1000 times.
He informed the company and they soon hired a security firm.
His efforts, rewarded or not, possibly helped these companies upgrade their security.
Air India, SpiceJet, Cleartrip, Mobikwik & Faasos were the only companies I ever corresponded with. Never informed the rest of them about any Loopholes. For the same reason, I never mentioned any technical details in this article. Compromised list may still include some E-commerce websites, Home services, Travel agencies, Educational Institutions, Government applications, etc.Such a smart guy! Here's hoping that there are others like him, out there, who are willing to use their powers for good too.
You can read his entire article here.