This Indian ethical hacker could have travelled the world for free
The Zomato hacking and ransomware chaos prompted a young Indian ethical hacker to reveal how he breached security systems of top Indian firms, even booking a San Francisco ticket at Rs 1
In the small hours of May 22, a 21-year-old computer engineering student from Ahmedabad's LJ College of Engineering put up a post on the blog site medium.com titled, How I Could Have Travelled the World For Free. By May 23, it had got over 1 lakh hits. Kanishk Sajnani also finds himself inundated with requests for interviews across all media channels - radio, news websites, television and print. After all, in the wake of the Zomato hacking, concerns regarding the security of sites that we use almost daily - to book flights and hotel or order food - takes prominence.
However, as Sajnani wrote on the blog, it's not just the Aadhaar card that will compromise your data.
He says some time in June 2015, inspired by stories of ethical hacking across the world - shared on the Internet - he was inspired to try his hand, too. "There's no one to teach you how to do this stuff. So I learnt what I could from Google and started looking at e-commerce sites run by Indian companies," he tells mid-day.
It took Sajnani three months to find his first bug on the Faasos website. This is a six-year-old food on demand firm that delivers meals across Indian cities when orders are placed on its app or site.
He writes on the blog: "It was a jackpot. I was able to look up the details (Debit card, Addresses, Order History) of any customer through just their email address or mobile number. Furthermore, I was even able to order anything for free. I literally owned the application thereafter."
Of the bug on the site, Sajnani says it's the worst he has seen. As long as he had the number or email address (not otherwise), he could access a customer's details. "It's easy to look up someone's email ID or phone number online. So, there is every chance that your data will be compromised."
He ordered a few biryanis, and while he paid up the first time, he wasn't caught the second time when he didn't. It was a test.
He writes that he emailed Faasos CEO, Jaydeep Barman, informing him about the anomalies. The bugs, he says, remained for almost six months until Faasos hired a security firm.
In this manner, Sajnani also hacked into the sites of Air India and Spice Jet, booking tickets for flights to San Francisco and Goa, by paying nothing. If he had cancelled, he was even eligible for a refund. Not that he did.
Sajnani is clear that he wasn't in it to misuse the information. "I only wanted to inform them about the bugs." The search for bugs itself, he calls a treasure hunt. To find what no one has been able to before. "Learning something on your own is a big experience. I was curious, but it's also an opportunity for skill enhancement."
Most of the firms, he writes in his blog, had a prompt and helpful response. Of Air India, he writes, "The manager further enquired about the rectification steps they should take. I sent him all the details along with POC (Proof of Concept) videos via mail. He told me they had their own IT team, and since I was keen on doing an Internship back then, he kindly accepted my request (I never actually interned, though) and also thanked me heartily for the contribution I had made."
His family, he says, has always known what he's doing. "They support me because they know I am not trying to exploit. I am sure there are more skilled hackers than me, but why people liked my post, I think, because with such sites, it's so tempting to misuse your power - book flight tickets for a rupee. To choose ethics over temptation, I suppose, they found commendable."
It's the insecurity of data, incidents such as Zomato and Ransomware, that spurred him to share his findings from two years ago on the blog last week. "Also, by this time, all the companies had fixed the bugs, so it was safe to publish this information. It was so that people realised security loopholes exist and pressure companies into keeping their data more secure."
Are the five firms he has named on his blog the only companies he has hacked into? "These are the only ones I have corresponded with. There are seven others that I haven't mentioned."
Since then, Sajnani has been educating friends and family about securing data. "I am going crazy here," he says of the 300 emails he has received every day since the post went up. "Most of the emails are from people who want to learn how to hack themselves."
What the firms said
Spice Jet did not want to participate in the story and Air India did not get back to our email and messages.
Soumyadeep Barman, Chief Technology Office, Faasos, says, "The incident is nearly 1.5 years old. A lot has changed since. We have introduced a new system which requires a lot of validations around orders, user data with oath tokens. This system was put in place in January and has addressed the loopholes prevailing in the previous version. With time, our technology stack has evolved. From a time when people could do shallow manipulations to today, where our algorithms automatically detect and destroy 'threat vectors', we keep getting better. For further safety, we don't save any card details or payment related information, but fetch it from our partner payment companies for extreme safety."
Download the new mid-day android app to get updates on all the latest and trending stories on the go https://goo.gl/8Xlcvr
Sign up for all the latest news, top galleries and trending videos from Mid-day.comSubscribe