The country’s youth seems to have struck a goldmine. They are now racing online, using their IT skills to impress and cash in on what is arguably the most rewarding industry for creative minds nowadays.
Not long ago, Pakistani blogger Farrukh Zafar sold Gagism.com, his six-month-old baby, for a whopping $100,000. Now, another blogger has earned $10,000 or Rs1 million in bounties after hacking into and exposing security vulnerabilities in PayPal – a global online payment solution based out of California.
An undergrad student at Bahria University Karachi’s Computer Science Department, Rafay Baloch has not only bagged $10,000 in PayPal’s bug-hunting quest, but has also received an offer to serve the company as a senior penetration tester. Only a few hackers – those who can successfully expose critical vulnerabilities – are given such an opportunity.
Baloch – who turns 20 come February – has had to turn down the offer because of his continuing studies. “I should think about joining their team after my Bachelors,” Baloch tells The Express Tribune.
“A number of Indian, Israeli and American white hats [hackers] actively participate in the programme and receive bug bounties on a regular basis,” Baloch says. He is probably the first Pakistani to have received this award though.
Starting from a minimum prize of $250, the rewards in Paypal’s bug bounty programme can be as high as $60,000, depending on the number of bugs a person reports, Baloch tells us.
“At first, most of my bugs were already reported by someone or the other, but I never gave up,” Baloch narrates from experience. “I kept trying and was lucky enough to find a ‘command execution vulnerability’ under Paypal’s sub domain which enabled me to execute any commands on their server,” he tells us.
“The command execution vulnerability is always considered critical in nature,” Baloch explains. His identification of one is one of the main reasons why the company considered him for a job.
Although he could not avail the opportunity, the teenager has already built a reputation that can earn him similar job offers in the future. Baloch made his blogging debut five years ago, and later switched his concentration to online security. His main area of research is Web Application Hacking and Security. The young IT talent is currently authoring his second book on “Advanced Ethical Hacking and Pentesting Techniques”, and plans to release it by the end of 2013.
His name has been added to the hall of fame section in about 20 websites; including big names like Apple, Microsoft and Ebay, to name a few. The hall of fame is a particular section on most websites that keeps records and publishes names of hackers who identify vulnerabilities in their websites.
A lot of IT companies, Baloch says, approach him to review their premium products. “This helps me learn more and expand my horizons.”
His priority, however, is to launch his own pentesting company. Pentesting is tech-speak for penetration testing: the method of evaluating the security of a computer system or network by simulating attacks onto it.
He is one of the Pakistani hackers mentioned by Eboz – the Turkish hacker who defaced google.pk and hundreds of other Pakistani websites – in a December 23 interview published in TechCrunch. Eboz hacked and defaced various Pakistani websites to let Pakistani hackers know that “… they are not [the] only ones hacking big targets on the planet”.
Asked if he could develop made-in-Pakistan security software comparable to McAfee or Norton products, Baloch says he certainly can, given he has “access to proper resources”.
Baloch, who prefers to be known as a bounty hunter instead of a hacker, says he is planning to launch a security related training programme in Pakistan to educate website administrators and technology geeks about the latest security threats.
“A lot of Pakistani government and educational websites are vulnerable to certain threats,” Baloch says. “If they allow me to test their websites, I can help them make their networks and/or websites more secure,” he offers.
Published in The Express Tribune, December 30th, 2012.
Like Business on Facebook to stay informed and join in the conversation.
Comments are moderated and generally will be posted if they are on-topic and not abusive.
For more information, please see our Comments FAQ