The 25-year-old telecom engineer from Lahore says his employer had 'no idea' of his secret cyber life and his recent exploits
“My friends used to call me Mak Man. It was like a nick name,” says Mukarram Khalid.
Khalid (bottom, left) is the man behind the hack handle Mak Man, which has caught the imagination of the cyberspace recently exposing cracks in the information security architecture of Gaana.com, a music download portal run by media behemoth Timesgroup.
“In 2007, there was a fierce cyber war going on between Pakistan and Indian hackers. I followed some of the hacked websites and found their origin. I found their forums/blogs and Facebook profiles. At that time, I stepped into this cyber world with a hack-handle Mak Man. I guess, I was afraid of being stalked or tracked down,” Khalid said recalling origins of his alias.
The 25-year-old, who hails from Sialkot, close to the Jammu border in India and lives in Lahore, graduated in Electrical (telecom) Engineering from University of Central Punjab in 2012. He works as a network engineer in well known telecom solution provider. “Currently, I’m working with different employers at the same time, some of them knew about all this. But my actual day job employer (Telecom Solution Providers) had no idea,” Khalid quips.
Hours after the Gaana.com issue was resolved amicably, a Delhi-based student entrepreneur Pranav Mishra claimed to have tracked down the real identity of Mak Man. “I first traced his email id and wrote a mail to him. Once he opened the email, I could trace his IP address. That is how I identified Mak man’s real name,” Mishra told Business Standard. Mishra claimed that he messaged Times Internet chief Satyan Gajwani and asked for recognition. “Satyan sir told me to contact next week,” Mishra said.
However, Khalid says though his employer had no idea, his identity was not a big secret in the hacker community. “My real identity was never a mystery. Most of my facebook friends (from different countries) already knew my name and address. I have even met most of them personally. Plus, I always posted my research on Vimeo with my real name,” the techie who calls himself a ‘white hat hacker’ said.
Being a ‘White Hat’, internet slang for ethical hackers, Khalid says he has not got into any real trouble with his targets. “No, not really. I never did actual damage to any of my targets and all the hacks I’ve pulled so far, had very genuine motives.”
But his fake identity ran into trouble with Facebook. “Some guys mass reported my facebook profile @ facebook.com/themakmaniac against facebook’s fake name policy. FB team took notice and blocked the account. I’ve applied for the restoration of the account but it’s under consideration. But my twitter account @themakmaniac is still active.”
Though he has got into trouble with Facebook, Khalid counts tech giants of the world, including Microsoft, Facebook, and Google among his sources of inspitation. “I won’t say that I’m an expert but I like to apply every piece of information I get one way or another. I’m a huge fan of computer programming and I love to automate stuff with simple scripts and code snippets. I have good knowledge of PHP, Python and C#.”
Among his many jobs, Khalid has also been working with a friend called Sajjad Ahmed. Ahmed, who was part of Mak man’s social media interactions with Gajwani, runs a security solutions provider called Refluxes. “We have worked on a few projects, Our last project was penetration testing and Code auditing of tune.pk (One of the largest video streaming websites of Pakistan). I have also worked with rozee.pk (one of the largest job portals in Pakistan) as a security auditor in the past.”
Apart from his interest in info-sec research, Khalid likes watching movies and playing online video games. “I'm very good at Counter strike 1.6 (Multi Player Online Game).”
For youngsters having interest in infosec, Khalid has some advice: “Start with the basics of programming. I believe if you know how to make something, You'll know how to break it.”
How it all started
It all started in the wee hours of May 28. A netizen codenamed Mak Man announced on his Facebook page that he had hacked the Times group's music download website, Gaana.com.
Mak Man, who claims to be based in Lahore, posted on his page the following message:
[SQL injection] Gaana.com - http://makman.tk/gaana.php
Alexa rank: 121 (India)
Number of user records in database: 10 million+
Exploit POC: http://makman.tk/gaana.php
POC details: Enter the email address of the user (registered on gaana.com) to get all the details."
'POC', or proof of concept, exploit refers to an attack against a computer or network only to prove it can be done. Typically, it does not cause any harm, but shows how a hacker can take advantage of vulnerability in the software or hardware.
As Mak Man's online fans started lionising him for his feat, Lahore-based Sajjad Ahmad, who seemed to be Mak Man's accomplice, said in a post, "This is what happens when you don't take bug reports seriously. It's worth mentioning here that the owner of the website was reported several times regarding the vulnerabilities but he didn't fix them because it was too much of work."
Mak Man seems to be of the type that derives pleasure from exposing vulnerabilities in a particular system or network. His Facebook page is full of instances of hacking and jokes about system vulnerabilities are shared.
In December, Mak Man had hacked the website of Pakistan telecommunication authority (PTA). Signing off with "Mak Man was here", the hacker advised the PTA to buckle up or some Indian hackers might hack it and claim credit in the media.
Sometime Thursday (May 28) afternoon #Gaana started trending on social media, as users started reporting the portal was offline. Some online news reports indicated risks to user data and panic began to set in.
Satyan Gajwani, chief executive of Times Internet, which owns Gaana, stepped in to troubleshoot. In a series of tweets, he explained the situation: "A couple of hours ago, a hacker name MakMan exposed vulnerability in one of our Gaana user databases. Here's where things stand: First of all, we have patched the vulnerability within an hour of its discovery, as MakMan has also acknowledged. No financial or sensitive personal data beyond Gaana login credentials were accessed. No third party credentials were accessed either."
He added the data hadn't been accessed or shared with anyone "Most of our users' data has not been compromised, but we've reset all Gaana user passwords. So, all users have to make new ones. Yep, it's a pain, but it's important," he said.
But it was his extraordinary move to reach out to the hackers and seek their help that proved to be the clincher. Addressing Mak Man and Sajjad Ahmad, Gajwani wrote, "Hi, I'm Satyan, CEO of Times Internet, which runs Gaana. First of all, I'd like to apologise personally if you had shared these reports and we didn't respond earlier. Totally unacceptable by us, and I'm looking into it."
He also requested the duo to take down access to the data completely. Then, he made an irresistible offer "And finally, if possible, I'd appreciate if we could hire you as a consultant to help us find any more vulnerabilities across our network so that we can keep our products as secure as possible. If you're interested, message me directly, as I'd be very grateful for your advice."
In response, Sajjad Ahmad said in a post, "Hello Satyan! It's good to see that you took notice of the issue before it was too late. You are right, our intention was not to disclose any private information of the users but to highlight the issue. The vulnerability was reported to the technical head of the website several times but he failed to fix it. Anyhow, the page exposing the information has been taken down permanently. Direct requests from that page were generated to the gaana.com server to extract the information. We assure you no data from the website database was saved anywhere. Mak Man will message you for further discussion."
Soon after, Gajwani tweeted, "The hackers have removed the database from their site #amankiasha". Aman Ki Asha was a campaign run by The Times of India to promote peace and harmony between India and Pakistan.
At around 7:30 pm on Thursday, Mak Man said in a Facebook post: "I hereby confirm no financial information was accessed during the hack of Gaana.com... Database was so huge that I didn't even bother looking (Hell .. I didn't even know if it was there :P) ...and no information was dumped and stored locally...not even a single row." He also dismissed fears of data being saved elsewhere or third-party access: "Most news websites/blogs have posted false information about the hack," he said.
Some netizens, however, expressed disbelief. "Maybe you are posting this, as Gaana.com owners asked you to say this to maintain trust and must have offered you a great amount…Well you did your job…Trusting you that data isn't compromised," posted Abhishek Chawla, a student based in Patiala.
Mak Man replied, "Do you even know the size of a DB having 10 million users? It was huge…It would've taken days."
An email seeking comment sent to Gajwani did not elicit an immediate response.
Just wanted to highlight the issue: Mak Man on Gaana.com hack
In an exclusive chat, Mak Man answers Business Standard queries over Facebook Messenger. Excerpts:
Can you explain in layman terms what exactly did you do? What did you plan to demonstrate by this act?
I just highlighted an issue in a very controlled environment. The issue was that an end user had the privileges to execute SQL commands on their back end server, giving him/her access to all the details stored in their database including user details.
Are you satisfied with Gaana.com's response?
Yes, I'm totally satisfied with the response.
How did you choose Gaana.com?
It was a targeted hack.
Are other Indian e-commerce sites that are similarly vulnerable?
I'm not sure.
Will you take the offer given by Satyan?
Mukarram Khalid's photograph via Twitter