Working a desk job: Young techie bags a million rupees using IT skills

Published: December 30, 2012
Undergrad student was participating in an international ‘bug hunting’ programme. DESIGN: TARIQ GILANI

Undergrad student was participating in an international ‘bug hunting’ programme. DESIGN: TARIQ GILANI


The country’s youth seems to have struck a goldmine. They are now racing online, using their IT skills to impress and cash in on what is arguably the most rewarding industry for creative minds nowadays.

Not long ago, Pakistani blogger Farrukh Zafar sold, his six-month-old baby, for a whopping $100,000. Now, another blogger has earned $10,000 or Rs1 million in bounties after hacking into and exposing security vulnerabilities in PayPal – a global online payment solution based out of California.

An undergrad student at Bahria University Karachi’s Computer Science Department, Rafay Baloch has not only bagged $10,000 in PayPal’s bug-hunting quest, but has also received an offer to serve the company as a senior penetration tester. Only a few hackers – those who can successfully expose critical vulnerabilities – are given such an opportunity.

Baloch – who turns 20 come February – has had to turn down the offer because of his continuing studies. “I should think about joining their team after my Bachelors,” Baloch tells The Express Tribune.

“A number of Indian, Israeli and American white hats [hackers] actively participate in the programme and receive bug bounties on a regular basis,” Baloch says. He is probably the first Pakistani to have received this award though.

Starting from a minimum prize of $250, the rewards in Paypal’s bug bounty programme can be as high as $60,000, depending on the number of bugs a person reports, Baloch tells us.

“At first, most of my bugs were already reported by someone or the other, but I never gave up,” Baloch narrates from experience. “I kept trying and was lucky enough to find a ‘command execution vulnerability’ under Paypal’s sub domain which enabled me to execute any commands on their server,” he tells us.


“The command execution vulnerability is always considered critical in nature,” Baloch explains. His identification of one is one of the main reasons why the company considered him for a job.

Although he could not avail the opportunity, the teenager has already built a reputation that can earn him similar job offers in the future. Baloch made his blogging debut five years ago, and later switched his concentration to online security. His main area of research is Web Application Hacking and Security. The young IT talent is currently authoring his second book on “Advanced Ethical Hacking and Pentesting Techniques”, and plans to release it by the end of 2013.

His name has been added to the hall of fame section in about 20 websites; including big names like Apple, Microsoft and Ebay, to name a few. The hall of fame is a particular section on most websites that keeps records and publishes names of hackers who identify vulnerabilities in their websites.

A lot of IT companies, Baloch says, approach him to review their premium products. “This helps me learn more and expand my horizons.”

His priority, however, is to launch his own pentesting company. Pentesting is tech-speak for penetration testing: the method of evaluating the security of a computer system or network by simulating attacks onto it.

He is one of the Pakistani hackers mentioned by Eboz – the Turkish hacker who defaced and hundreds of other Pakistani websites – in a December 23 interview published in TechCrunch. Eboz hacked and defaced various Pakistani websites to let Pakistani hackers know that “… they are not [the] only ones hacking big targets on the planet”.

Asked if he could develop made-in-Pakistan security software comparable to McAfee or Norton products, Baloch says he certainly can, given he has “access to proper resources”.

Baloch, who prefers to be known as a bounty hunter instead of a hacker, says he is planning to launch a security related training programme in Pakistan to educate website administrators and technology geeks about the latest security threats.

“A lot of Pakistani government and educational websites are vulnerable to certain threats,” Baloch says. “If they allow me to test their websites, I can help them make their networks and/or websites more secure,” he offers.

Published in The Express Tribune, December 30th, 2012.

Like Business on Facebook to stay informed and join in the conversation.

Facebook Conversations

Reader Comments (15)

  • Khurram Aziz
    Dec 30, 2012 - 11:09AM

    Awesome job, Rafay! keep it up buddy!


  • Representative
    Dec 30, 2012 - 11:50AM

    way to go lad…..


  • Dr.X
    Dec 30, 2012 - 12:37PM

    good going!


  • Dec 30, 2012 - 1:11PM

    Thumbs up Baloch, and thumbs up my friend Farrukh Zafar


  • Faisal Soomro
    Dec 30, 2012 - 1:55PM

    thats my cousin…


  • Astraldust
    Dec 30, 2012 - 2:56PM

    Great news but $100,000 is not exactly a “whooping” sum.


  • H.A. Khan
    Dec 30, 2012 - 3:10PM

    Good .Now these guys need to pay tax according to law. FBR wake up


  • Dec 30, 2012 - 4:08PM

    Stealing content from Reddit by Gagism is hardly a role model.


  • Bhatti
    Dec 30, 2012 - 7:59PM

    Baloch! u r MY GUY!!


  • Umair Waheed, IBA, Khayban e Hafiz
    Dec 30, 2012 - 10:26PM

    And why is this guy at bahria? If only IBA could have such students.


  • Dec 31, 2012 - 12:28AM

    Great news. We are proud of you Rafay. Keep it up.


  • Dec 31, 2012 - 4:00AM

    GREAT YJOB BROO,…. i realy appreciate you Raffay


  • Rafay Baloch
    Dec 31, 2012 - 4:11AM

    Thanks every one for their wishes.

    @Umair Waheed

    Is their any way i could transfer my credits over their in BSCS?


  • Danyal Sandeelo
    Dec 31, 2012 - 4:17PM

    Keep it up bro !! i m happy to see this all !! (y)


  • Lpc
    Jan 3, 2013 - 9:55AM

    Jealous much?


More in Business