He is doing Pakistan proud, and feels his work is one way the image of Pakistan can be improved globally. Yet, this celebrated final-year computer science student at Bahria University has not yet received the recognition he deserves.
The world’s leading information security publications have featured Pakistani security researcher, Rafay Baloch, as one of the top ethical hackers in 2014, putting the 21-year-old Karachiite on top of their lists, The Express Tribune learnt on Thursday.
“Ethical hacking, which makes the information world more secure, is one way we [Pakistanis] can change our country’s negative perception in the world,” said Baloch.
CheckMarx, a source code analysis company based out of Tel Aviv, Israel, recognised Baloch as one of the world’s top five ethical hackers who made the headlines in 2014 for exposing a serious vulnerability - a Same-Origin Policy (SOP) bypass - in Android’s Open Source Platform browser (versions older than 4.4).
The recognition comes from a company that has, arguably, the best tool for Static Application Security Testing. CheckMarx was ranked number one for static analysis in “Critical Capabilities for Application Security Testing”, a 2014 report by the world’s leading information technology research and advisory company, Gartner.
“Contrary to common belief, many high-profile hackings in 2014 were performed by ethical hackers interested only in the benefit of the community,” CheckMarx said in a blog post on December 31, 2014, terming 2014 the year of the mega attacks, such as the Snapchat fiasco, iCloud photo leaks and North Korean orchestrated Sony Pictures hacking.
“Rafay Baloch took the world by storm after finding glaring flaws in Android’s stock AOSP browser,” read the post, putting Baloch on top of their list, which also featured ethical hackers from Israel, Egypt and Switzerland among top five in the world.
According to CheckMarx, the security loopholes identified by the Pakistani white hat “have not been addressed and are allowing hackers to steal session cookies to this very day, enabling them to perform a wide variety of malicious actions including identity theft”.
According to the world’s leading information security magazine based out of New York City, The SC Magazine, “Baloch has responsibly disclosed hundreds of vulnerabilities in his roughly six-year career in security research. His biggest discovery may be CVE-2014-6041, a bug that could allow a bad actor to circumvent the AOSP browser’s SOP”. The magazine published this on December 8, 2014 in an article titled Reboot 25: Threat seekers.
The magazine added that it was a significant issue; it was covered by major news outlets and was deemed a privacy disaster by security experts, and at the time impacted approximately 75 per cent of Android users running platforms older than version 4.4.
Though none of the two publications ranked the security researchers covered in their reports, both put Baloch on top of their list.
A professional penetration tester and author of “Ethical Hacking and Penetration Testing Guide”, his first book on internet security, Baloch has been participating in various bug bounty programs to help several major internet corporations improve their internet security. He was rewarded with $10,000 in cash and a job offer from PayPal, a global online payment solution, for finding remote code execution vulnerability along with several other high-risk vulnerabilities inside PayPal.
Despite the international recognition, the Pakistani security researcher who released three more security bugs in different Android browsers even on the last day of 2014 hardly got any attention from national news channels.
“Being a Pakistani, I feel great to be recognised by an Israeli company,” Baloch said, responding to a question. CheckMarx was founded by Maty Siman, former advisor to the Israeli Prime Minister’s Office on IT security, who also worked in the computer unit of Israeli Defence Forces.
Published in The Express Tribune, January 3rd, 2015.
Comments are moderated and generally will be posted if they are on-topic and not abusive.
For more information, please see our Comments FAQ