Kanishk Sajnani did not receive so much as a thank you from a major Indian airline when he contacted them with alarming news — he had hacked their Web site and could book flights anywhere in the world for free.
It was a familiar tale for India’s army of “ethical hackers,” who earn millions protecting foreign corporations and global tech giants from cyberattacks, but are largely ignored at home, their skills and altruism misunderstood or distrusted.
India produces more ethical hackers — those who break into computer networks to expose, rather than exploit, weaknesses — than anywhere else in the world.
Photo: AFP
The latest data from BugCrowd, a global hacking network, showed Indians raked in the most “bug bounties” — rewards for exposing security loopholes.
Facebook, which has long tapped hacker talent, paid more to Indian researchers in the first half of last year than any other researchers.
Indians outnumbered all other bug hunters on HackerOne, another registry of about 100,000 hackers.
One anonymous Indian hacker — “Geekboy” — has found more than 700 vulnerabilities for companies like Yahoo, Uber and Rockstar Games.
Most are young “techies” — software engineers swelling the ranks of India’s US$154 billion IT outsourcing sector whose skill set makes them uniquely gifted at cracking cybersystems.
“People who build software in many cases also understand how it can be broken,” HackerOne co-founder Michiel Prins told reporters by e-mail.
However, while technology behemoths and multinationals are increasingly reliant on this world-class hacking talent, just a handful of Indian firms run bug bounty programs.
Information volunteered by these cyber-Samaritans is often treated with indifference or suspicion, hackers and tech industry observers told reporters.
Anand Prakash, a 23-year-old security engineer who has earned US$350,000 in bug bounties, said that Facebook replied almost immediately when he notified them of a glitch allowing him to post from anyone’s account.
“But here in India, the e-mail is ignored most of the time,” Prakash told reporters from Bangalore, where he runs his own cybersecurity firm, Appsecure India. “I have experienced situations many times where I have a threatening e-mail from a legal team saying: ‘What are you doing hacking into our site?’”
Sajnani, who has hacked about a dozen Indian companies, said he was once offered a reward by a company that dropped off the radar once the bugs were fixed.
“Not getting properly acknowledged, or companies not showing any gratitude after you tried to help them, that is very annoying,” the 21-year-old told reporters from Ahmedabad, where he hunts for software glitches in between his computer engineering studies.
An unwillingness to engage its homegrown hackers has backfired spectacularly for a number of Indian start-ups, forcing a long-overdue rethink of attitudes toward cybersecurity.
In 2015, Uber-rival Ola launched what it called a “first of its kind” bounty program in India after hackers repeatedly exposed vulnerabilities in the popular app.
This month, Zomato, a food and restaurant guide operating in 23 countries, suffered an embarrassing breach when a hacker stole 17 million user records from its supposedly secure database.
The hacker — “nclay” — threatened to sell the information unless Zomato, valued at hundreds of millions of US dollars, offered bug hunters more than just certificates of appreciation for their honesty.
“If they were paying money to the good guys, maybe ‘nclay’ would have reported the vulnerability and made the money the right way,” Waqas Amir, founder of cybersecurity Web site HackRead, said by e-mail.
The incident was especially galling for Prakash.
He had hacked Zomato’s database just two years earlier and said if they listened to him then “they would never have been breached in 2017.”
In a mea culpa rare for an Indian tech company, Zomato agreed to launch a “healthy” bounty program and encourage other firms to work with ethical hackers.
“We should have taken this more seriously earlier,” a Zomato spokeswoman said in a statement.
The Zomato hack, and panic surrounding last month’s global WannaCry cyberattack, comes as the Indian government aggressively denies suggestions its massive biometric identification program is susceptible to leaks.
The Indian government has staunchly defended its “Aadhaar” program, which stores the fingerprints and iris scans of more than 1 billion Indians on a national database, and has accused those who have raised concerns of illegal hacking.
Prakash said it was vital the government embrace its own through a program like the “Hack the Pentagon” initiative, which last year saw 1,400 security engineers invited to poke holes in the US Department of Defense’s cyberfortifications.
“The Indian government definitely needs a bounty program to make their system more secure,” Prakash said.
Kehinde Sanni spends his days smoothing out dents and repainting scratched bumpers in a modest autobody shop in Lagos. He has never left Nigeria, yet he speaks glowingly of Burkina Faso military leader Ibrahim Traore. “Nigeria needs someone like Ibrahim Traore of Burkina Faso. He is doing well for his country,” Sanni said. His admiration is shaped by a steady stream of viral videos, memes and social media posts — many misleading or outright false — portraying Traore as a fearless reformer who defied Western powers and reclaimed his country’s dignity. The Burkinabe strongman swept into power following a coup in September 2022
TRUMP EFFECT: The win capped one of the most dramatic turnarounds in Canadian political history after the Conservatives had led the Liberals by more than 20 points Canadian Prime Minister Mark Carney yesterday pledged to win US President Donald Trump’s trade war after winning Canada’s election and leading his Liberal Party to another term in power. Following a campaign dominated by Trump’s tariffs and annexation threats, Carney promised to chart “a new path forward” in a world “fundamentally changed” by a US that is newly hostile to free trade. “We are over the shock of the American betrayal, but we should never forget the lessons,” said Carney, who led the central banks of Canada and the UK before entering politics earlier this year. “We will win this trade war and
‘FRAGMENTING’: British politics have for a long time been dominated by the Labor Party and the Tories, but polls suggest that Reform now poses a significant challenge Hard-right upstarts Reform UK snatched a parliamentary seat from British Prime Minister Keir Starmer’s Labor Party yesterday in local elections that dealt a blow to the UK’s two establishment parties. Reform, led by anti-immigrant firebrand Nigel Farage, won the by-election in Runcorn and Helsby in northwest England by just six votes, as it picked up gains in other localities, including one mayoralty. The group’s strong showing continues momentum it built up at last year’s general election and appears to confirm a trend that the UK is entering an era of multi-party politics. “For the movement, for the party it’s a very, very big
The Philippines yesterday slammed an “irresponsible” Chinese state media report claiming a disputed reef in the South China Sea was under Beijing’s control, saying the “status quo” was unchanged. Tiexian Reef (鐵線礁), also known as Sandy Cay Reef, lies near Thitu Island, or Pagasa, where the Philippines stations troops and maintains a coast guard monitoring base. Chinese state broadcaster CCTV on Saturday said that the China Coast Guard had “implemented maritime control” over Tiexian Reef in the middle of this month. The Philippines and China have been engaged in months of confrontations over the South China Sea, which Beijing claims nearly in its
RSS