The term 'hacker' generally throws people off. But contrary to what many think, not all hackers are bad. In fact, their services can be quite useful when it comes to spotting bugs & vulnerable data and helping upgrade security.
Meet Kanishk Sajnani. In is own words, he is a 20-something guy with no professional expertise, who hacks ethically, looks for no personal gains and believes that hackers should be rewarded for their positive contribution.
Kanishk recently wrote an article in Medium that states his experience of being an ethical hacker. He talks about how he spotted bugs in different booking portals like Air India. While browsing through the site, he found what was a 'major vulnerability' in their ticketing system.
The same would've allowed him to book a ticket for relatively no amount to anywhere in the world. However, instead of taking advantage of it, he brought it to the attention of Air India via email.
He had sent the email on 4th November, 2015. Almost a week later, on the 12th, he received a phone call.
Received an unexpected phone call from their Manager (Finance) on 12th Nov 15'. He asked me to prove if such a vulnerability existed & Oh boy! Did I?
Air India were extremely grateful to him and even offered the internship he wanted. Kanishk did not take it up though.
A few days before this episode, he had booked a ticket to Goa using the SpiceJet app. The ticket was worth ₹4028, but he only paid ₹4. Again, like he did with Air India, he brought this thing to SpiceJet's notice as well and told them the loopholes in their app. While he was clear on how he wanted to help them out, their reply seemed extremely confusing.
I decided to drop a mail to some senior Official. Shockingly, I wasn’t even able to find out the email addresses of their CEO or CTO or CMO. All I could manage to find were these ( custrelations-nodalofficer & [email protected]) With no choice left, I sent a similar email ( like one to Air India) to SpiceJet too. Their reply baffled me.
He even exchanged mails with their GM, Mr Pradeep Shah, who asked him to forward the other mails that contained details of the problem. Kanishk obliged and this is what he got in reply.
They sent me our previous correspondence in a .eml type file attached *Double Facepalm * This time the mail was signed by their Nodal Officer. Either they didn’t understand the point I made Or they didn’t like to acknowledge the fact that their security was compromised.
The next portal that he found to be extremely vulnerable was Cleartrip. An App he could have used not just to book flights, but 'hotels, trains, restaurant dates, massages, cultural events, sport activities.'
But he decided to bring it to the attention of the company and sent them a mail.
He soon got a reply from their head of infrastructure and security, asking him to discuss all of it over phone. But Kanishk refused to do that.
Never have such conversations over the phone. A written correspondence is must ( You’ll have proof in case something goes wrong) I made an excuse & asked him to continue over here or on Facebook.
Neeraj Nayan, the man in question, replied saying that he was fine with chatting over emails and that the company was also up for giving Kanishk a reward if his claims were proven.
And so, that is what Kanishk did.
He did not just book a day at the spa, but even got a refund for something he never really paid for!
Neeraj mailed Kanishk saying that they were validating his claims. But a month into the entire scenario, there was no further correspondence. He even mailed the co-founders, making them aware of the situation.
But to no avail. His efforts went unrewarded and unacknowledged.
He had the power to travel the world for free and no one would've even noticed. But his prime concern has been the security of these portals and preventing misuse that can lead to huge losses to these companies. Some acknowledged his efforts, some did not.
What I’ve learnt from my Experiences?
Full disclosure? I did order a Free Biryani couple of times 😆What surprised me was the fact that no-one from the store manager to delivery boy realised that they were being duped. The first time, I paid in cash after explaining them everything. The second time was a test & they failed again. I could’ve eaten more like a 1000 times.
He informed the company and they soon hired a security firm.
His efforts, rewarded or not, possibly helped these companies upgrade their security.
Air India, SpiceJet, Cleartrip, Mobikwik & Faasos were the only companies I ever corresponded with. Never informed the rest of them about any Loopholes. For the same reason, I never mentioned any technical details in this article. Compromised list may still include some E-commerce websites, Home services, Travel agencies, Educational Institutions, Government applications, etc.
You can read his entire article here.