Meet the bughunters: the hackers in India protecting your Facebook profile

Nobody thought Anand Prakash would end up a multi-millionaire.

Raised in a small town of Bhadra in western India, Prakash preferred to spend his free time playing computer games in cybercafes rather than outdoors playing cricket with the other boys his age.

But when he was still struggling to find a job at college, Prakash discovered Facebook’s bug bounty programme, which rewards ‘whitehat’ hackers, who test the website for bugs and help protect users’ data.

Now, he’s earned more than 10 million Indian rupees (£112,000) by testing websites like Facebook and Google for bugs, and helped protect millions of peoples’ personal data in the process.

A self-taught computer whizz who learned about hacking by reading blogs and watching Youtube videos, Prakash found his first bug easily – it allowed people to be discovered online after they’d turned of their Facebook messenger service. Facebook paid him 33,000 rupees for that discovery.
Since then, Prakash has reported more than 90 bugs to Facebook alone, and many more to companies including Twitter, Google, Dropbox, Adobe, eBay, Paypal and others.

‘Whitehat’ hacker Anand Prakash has earned millions of rupees from uncovering security flaws in Facebook and Google websites.

One bug he found allowed hackers to access any of Facebook’s 1.6 billion users’ information including messages, credit and debit card information and personal photos. Facebook paid him another 1 million rupees for finding it.

Even though Prakash’s discoveries have made him a rupee millionaire, he says he’s never done it for the money. “I’m interested in companies like Facebook and Google because those companies have the most data on individual users in the world.

“I do this work to protect data. If it were just for money I’d do it for companies with fewer users. I’m concerned about user privacy and I am a user myself. I care about keeping data safe.”

In developing countries like India, bug bounty hunting is a growing sport. In 2015, Facebook received 13,233 submissions from 5,543 hackers from around the world, often from small towns in developing countries.

India, Egypt and Trinidad and Tobago, in that order submitted the most reports and the company says the quality of the information hackers provide gets more sophisticated every year.

Rahul Tyagi, a whitehat hacker from the small town of Gurdaspur in north India says many of his friends earn a decent living simply by hunting for bugs on websites such as Facebook and Twitter.

Rahul Tyagi, a whitehat computer hacker from the small town of Gurdaspur in north India, who says many of his friends earn a decent living simply by hunting for bugs on websites such as Facebook and Twitter. Photograph: Rahul Tyagi

“They earn around 1-1.5 lakh rupees (£1000-1500) a month without leaving their bedrooms.”

Whilst India’s burgeoning population of 1.25bn means that getting a job can be tough, bounty-hunting schemes provide an easy way for young Internet enthusiasts to make a living.

“People are just sitting at home with nothing to do,” Tyagi says, offering an explanation for the country’s large proportion of whitehat hackers. “They can’t get a job, so they learn this.”

Tyagi’s own motivations for hacking though, are slightly different. “It’s about getting an appreciation from the giants of the world,” he says. “Hacking requires a curious and creative mind. And you have to keep learning every day, because the technology is changing so quickly.”
Like many other big names on the Indian hacking scene, Tyagi comes from a humble background. “I was the first in my town to get a computer. I started on Windows 98.”

His knowledge of computers earned him a reputation as the local techie when he was a teenager.

“People used to invite me to their homes to install Windows XP. They’d give me food in exchange,” he says. “For them it was a big thing – that I knew so much about computers.”

His first experiments with computer security were when he was just a child, trying to get a game for PlayStation 1 to work on his computer. “I was the only kid in the whole of Punjab who could do that at the time,” he says. My first hacks weren’t ethical – I was just experimenting. Curiosity kept me going.”

Indian entrepreneurs and immigrants have been pioneers in the tech sector in the last few decades. But nobody saw India’s tech boom coming. The country has a low computer literacy rate of less than 7% and until recently, the country’s telecommunications infrastructure was weak and underdeveloped.

Academics have cited the government’s non-interventionist approach as one explanation for India’s success in the IT sector. Former IT minister Pramod Mahajan once said that “IT and beauty contests are the two areas the government has stayed out of.”

Prakash argues that India’s cyber security sector could grow even faster with some help from the government.

“The Indian government hasn’t understood how big our potential is when it comes to hacking. The most talented hackers are Indian, the highest number of bugs are reported from here. We need to cultivate that talent.”

Trishneet Arora a 22-year old hacker from the city of Ludhiana in northern India started as an ethical hacker, and has created a successful cyber security business with his skills.

Trishneet Arora, a 22-year old from the small city of Ludhiana in northern India. He never finished high school, but he runs a multinational cyber security company, has penned three books on ethical computer hacking and has won a government award for his contribution to online security. Photograph: Trishneet Arora

“Imagine having the power to hack into some one’s bank account and steal a million dollars,” he says. “And imagine saying no.”

Arora believes the next world war will be won online, and that India’s cyber security experts will have a major role to play.

He explains that hospital software is a particular vulnerability and hackers like him are devising new ways to keep patients safe.

“In the ICU the technology [one hospital] was using was a cloud-based machine,” he explains. “I hacked it, I found vulnerability and I shut it down. The person on the operating table could have been killed, and you’d never be able to trace the killer.

“That’s the future of cyber attacks. They’ll breach our security, we’ll breach theirs,” he says. “Getting access to confidential information can destroy peoples’ lives.”

comments powered by Disqus