Ahraz Ahmed penetrated the devices of 50 large companies, and at the age of 16, he supported his family by working in the stock market and foreign exchange markets.
Ahmed is currently working as a "white hacker", helping us all stay safe from the dangers of the cyber world.
On a Tuesday morning in December last year, Ahraz Ahmed, now 24, realized once again that there was no app on his phone that he hadn't previously been able to hack.
Out of his concern for the privacy of the millions of people who use these applications on the Internet, Ahmed decided to look himself into the mobile phone network "Airtel", which provides Internet services to about 325 million users in India.
Ahmed is currently a network security researcher in the Indian city of Mysuru, which has nearly 700 million Internet users.
Ahmed has been discovering vulnerabilities in companies on the Internet - including the websites of the world's tech giants such as Microsoft, Apple and Netflix - since he was just 16 years old.
What Ahmed discovered when he checked Airtel's security system was shocking, even to him.
In just 15 minutes, armed with a regular phone number, he was able to access sensitive information such as home addresses, email addresses, dates of birth, and International Mobile Equipment Identity (IMEI) numbers of customers, which serves as a unique digital identifier for each mobile device.
Ehraz discovered that the problem lies in one of the company's application programming interfaces that the program uses to access data, server programs or other applications, and for this, Ahmed decided to contact the company, which is the second largest telecom company in India, in order to invite it to take the necessary measures, as he warned. The media of such loopholes.
Hiring “ethical” hackers
Ahmed is one of the newer category of "ethical hackers", or internet security guards, who say they have taken it upon themselves to protect users from online fraud, and Ahmed considers this profession to be a community service job.
"I was concerned about users' privacy, so I decided to start testing the security of the apps installed on my phone. Later I went further to check the networking app," he explains.
One of the guardians of the digital world
Ahmed is fond of discovering and deleting security flaws.
In this context, Ahmed notes that “From an early age, I enjoyed being a mentor who can guide those who ask for help finding solutions to electronic problems. From small and medium businesses, to large companies, like LinkedIn, my passion is to provide security solutions in the digital world.” ".
Ahmed also provides his services to companies he does not work with and discovers security problems in them, as happened with LinkedIn recently.
In this context, Ahmed asserts, "I helped LinkedIn by reporting a security hole on its website. I received a message from them thanking me for their help."
"I try to find security holes in companies that provide public services and have a large user base, where hackers can exploit the leaked data in social engineering and access people's private data, such as bank information, passwords or postal addresses," he explains.
"It can take hours or days to fix these vulnerabilities if they are complex. If companies don't pay attention to their presence, hackers can cause massive damage," Ahmed adds.
He says he has not received anything in return from the companies he has helped discover their vulnerabilities in recent years (those that are not among his clients).
He often gets an acknowledgment or thank you letter from companies.
In other cases, some companies deny any vulnerabilities in their applications.
According to Ahmed, "Bounty hunters are looking for security vulnerabilities in order to get paid from companies, but my goal is to help companies fix their security flaws only, without expecting anything in return."
Ahmed provides his services to companies he does not work with and discovers security problems in them, as happened with LinkedIn recently (Al Jazeera)
In addition to these charitable activities, Ahmed works as an executive director, and has established 3 companies;
These are Voxy Wealth Management, a financial research firm that advises market analysts and traders, Aspirehive, which provides Internet security services, and StackNexo, which provides website management services. The web and data.
Through Aspirehive, Ahmed uses software to scan his customers' websites and mobile apps for any security vulnerabilities.
In a related context, Ahmed explains that, “It is always good to take precautions and fix flaws before hackers can exploit them. The most common vulnerability he was able to find in 2019 was a data leak that could have compromised the data of 700 million users.” In total, about 150 companies crossed.
In all, about 1,000 companies have hired Aspirehive to help secure their electronic systems against hackers.
start early
Ahmed grew up in Mysuru, in the Indian state of Karnataka, and was fond of computer games such as “Counter-Strike.” His mother said, “Ehraz was one of the children who preferred to be alone when others would invite him out to play cricket and soccer. His computer. He's been curious and fond of computer games since he was ten."
Ahmed founded his own game server hosting company at the age of 14, which he later expanded to provide hosting space, selling or renting websites on servers, where customers could store files to support their websites.
His parents say they were surprised by his entrepreneurial talents and were unaware of what he was working on as a teenager, adding, "We first learned about his company he founded when he decided to drop out of engineering at university. Until then, we didn't know what he was up to. for him".
The genius child in the world of money
In 2010, Ahmed's older brother, Omraz, 28, had a life-changing motorcycle accident that turned Ahmed's life upside down.
The family struggled to pay for hospital treatment and his parents had to take time away from work to help his brother recover.
Because of the accident, the family is in financial distress.
At that point, Ahmed decided to expand his game server hosting company to provide web hosting services.
Two years later, his father had a heart attack at the age of 48 and recovered, but the family's financial situation got worse.
At the age of 16, people hailed his success in finding security holes in 50 companies over a 12-month period between 2013 and 2014, including Microsoft, Apple, Adobe, BlackBerry, SoundCloud, and Netflix, all of whom welcomed Ahmed's help. "I was contacting these companies via email to confirm the vulnerabilities. After the bug was fixed, they would acknowledge our efforts by adding our names to their Hall of Fame page," he says.
For someone who didn't complete a Bachelor's degree in Engineering and Computer Science at BES University in Bangalore, in 2017, Ahmed, in turn, has achieved great things.
At the age of 20, Ahmed founded his own financial technology company, Foxy Wealth Management, which provides a platform for traders and financial analysts to research the financial markets.
The web platform helps people to manage and track all their stocks, and also gives them daily advice from financial analysts.
Between 2017 and 2019, he founded his two start-ups, Aspirehive and StackNexo.
Hackers are constantly developing new methods to penetrate the security measures of Internet companies (Al-Jazeera)
spearfishing
Sitting in his office in Mysuru, a small city in the southwestern Indian state of Karnataka, Ahmed explains that hackers are constantly developing new methods to breach the security measures of internet companies.
"In the past few years, there has been a clear pattern of hacking Twitter accounts. Hackers are using very sophisticated methods of social engineering," he says.
"In the cases of Barack Obama, Elon Musk and Bill Gates, hackers used the 'backdoor' entrance to target Twitter employees, thereby gaining access to these personal accounts."
Generally, hackers send a legitimate-looking email to employees of companies that handle the social media accounts of famous people, the text of which asks to fill out a form providing sensitive information for them to access.
In other cases - as happened with Indian Prime Minister Modi - they used a vulnerability in a website to log into a Twitter account connected to the site.
Ahmed explains that "this is a form of (spear fishing), and these indirect attacks have proven highly effective in penetrating the security walls of large companies."
Once the hacker breaks through these walls and gets into the company's systems, it becomes easy for him to take over the user accounts, turning on all the features of the administrators on the site.
They can also send emails asking users to change their passwords, or informing them that they are eligible for a 'discount voucher'.
This email leads to a malicious link containing a form to fill in sensitive information such as passwords and email addresses, enabling hackers to gain access to users' accounts.
Corporate management personnel can fall prey to such scams, as they are very convincing.
Ahmed points out that "the attackers pretend to be a legitimate actor to get the required details, in order to then gain access to the company's control system. No software can really prevent this, as there is no way to completely protect against human error."
"The hackers are doing extensive research into personal employee accounts and the internal systems they use," he added.
Moreover, Ahmed says that India's culture of short cuts and lax cybersecurity measures have helped this spread, stressing that "companies are very greedy. They need to focus more on infrastructure rather than just expansion. They are not taking precautions to prevent any potential disasters.
Ahmed found a vulnerability in an Indian company that would have allowed hackers to access users' personal information (Getty Images)
impending disaster
Ahmed says he found a vulnerability in an Indian company called "Lazy Pay", which could have allowed hackers to access users' personal information, including their credit card details.
Lazy Pay is an instant credit application that allows users over a million people to pay their bills.
On its website, Bio describes LazyPay as "India's leading payment gateway" with more than 450,000 businesses using it.
“When the bug was discovered, I contacted the company via email and they acknowledged the vulnerability, and it took a few hours to fix it,” Ahmed says.
Another case has surfaced with Truecaller, a company that provides a phone app that can display the names of callers if they use a hidden number.
It is often used by people who are facing harassment or trying to block abusive calls.
Ahmed says he found two flaws in Truecaller's two-step verification system that could have allowed hackers to enter the system and access users' information in 2019. The first flaw was found on August 21, 2019, and the second was found on November 23 November of the same year.
Ahmed adds that he contacted the company via email about the first vulnerability in August, but went directly to the media when the second vulnerability was discovered.
After that, Truecaller said it investigated the issue and that the bug had been fixed, in a November statement, which said, "It was recently brought to our attention that there was a small bug in our app services that allowed an individual's profile to be modified. Unintentionally. We thank the security researcher for reporting this and cooperating with us. The bug was fixed immediately."
Ahmed: Companies should invest more in security infrastructure and the issue of data security should not be postponed (Al Jazeera)
urgent issue
However, other companies that Ahmed contacted after discovering similar vulnerabilities did not act so quickly.
“If we identify something wrong, it can be very difficult for us to fix it, because companies refuse to acknowledge and don't want to be in the news,” Ahmed says.
According to his experience, some companies will go to great lengths to not appear in public.
On some occasions, companies have ignored identified vulnerabilities or attempted to fix them without acknowledging the problem to avoid embarrassment and backlash from customers.
Ahmed explained that “companies sometimes use fake Gmail accounts to communicate with ethical hackers like me, in order to secretly obtain information from the ethical hacker so that they do not reveal the problem publicly later. For me, this shows that companies give Time and time again, profit takes precedence over people's privacy."
In a recent case, a little-known Indian company from Delhi was used to carry out cyber espionage operations targeting investors, government officials and activists around the world.
The Indian IT company offered hacking services to help customers spy on more than 10,000 email accounts over a period of 7 years.
Incidents like this show that cybersecurity has become an urgent issue that must be addressed, experts like Ahmed said.
"Unfortunately, there are such companies in our country, especially where IT centers are clustered in major cities like Mumbai, New Delhi and Gujarat," Ahmed adds.
Laws being drafted
Despite the new regulations, the 2019 US Cybercrime Report, released by the FBI's Internet Crime Complaint Center, revealed that India ranks third in the world in terms of the number of cybercrime victims.
“Companies should invest more in security infrastructure,” Ahmed says. “The issue of data security should not be postponed, it should be a priority, especially as more people are navigating the internet for all their daily needs.”
In order to prevent hacks on Twitter, for example, Ahmed says, “Companies should conduct regular training, because employees are not trained to spot fraud. Second, companies have to restrict who has access to their dashboards, and then have to It should only allow the use of a corporate network to access this system, and the IP addresses used to access sensitive corporate control panels should adhere to strict protocols.
Ahmed believes that "best practices in the industry show that the best defense against cyber-phishing is the company's employees, which would prevent hackers from defrauding and using human vulnerabilities."