People think I do this for money, but I don’t. I do it because I value data privacy, says Anand Prakash.
Throwing a backpack casually over a table in a coffee house, Anand Prakash is completely in sync with his new-found popularity. "Ask me your questions," says the 22-year-old who agrees that he is getting used to interviews.
Bengaluru-based Prakash’s name attracted attention after his blog post started seeing traction. Prakash wrote about how he had found a “simple vulnerability” on Facebook, for which the networking portal gave him a bounty of $15,000.
But this wasn't the first time that Prakash, a security engineer at Flipkart, was rewarded for finding a bug. He has spotted 90 bugs for Facebook alone and about 30 for Twitter. Those who have given him bounties in the past for reporting security vulnerabilities include global web giants such as Google, Red Hat, Dropbox, Adobe, eBay and PayPal.
What was alarming about this particular bug was that it instantly allowed Prakash access to accounts of the billion users Facebook has -- credit and debit card details, personal photos and more. Prakash’s friend and colleague Ankur Bhargava, also a security analyst, explains that Prakash got the bounty not for the bug itself, but because of the severe consequences that it could have.
"If this bug was sold in the grey market where hackers could have exploited it, Anand could have easily made millions of dollars,” says Bhargava. "He could have earned easy money, but he chose not to and waited till Facebook fixed the bug before making the bug public." Similarly, when Prakash found a bug on Zomato and had access to all of its user accounts, he reported it straight to Zomato. There was no bounty for this one.
"People think I do this for money, but I don’t. I do it because I value data privacy," says Prakash. His parents, back home in Rajasthan, do not understand his work, but just know he has grown to spend a lot of time with computers now.
Once an intern with the cyber crime cell of the Gurgaon police, Prakash recalls seeing young girls walking into the police station to report harassment. "It was so disturbing to see them in tears. The main issue was of their private data being leaked. It was all happening in real time and I realised the importance of data security measures," he says.
Prakash's interest in website security dates back to pre-Facebook days in India, the days when Orkut was all the rage. “A friend bet that I couldn’t hack into his account; I didn’t even know how these things worked, so I just started looking things up,” he says. He went on to win the bet.
"Anand has found a lot of cool bugs on different websites; it's his perspective and attitude towards things that makes him stand out against the rest. Hacking is a technique, but how you break things down and the way you think about it also matters," says Bhargava.
Prakash doesn't check in on Facebook, no matter where he goes, has no (private) messages online, or even a display picture on WhatsApp -- Prakash is solely on social media to find and fix security vulnerabilities. “I never store my card details online, either -- it’s just not safe," he says.
In the days to come, Prakash has the tough task of sifting through his social media accounts. The morning after he first blogged about finding this particular bug, he had 500 new followers on Twitter and had hundreds of messages waiting for him on Facebook. Most of these were requests from those who wanted Prakash to hack into their girlfriends’ accounts.
Happy to be at Flipkart "because it's a really cool and chilled-out place to work," Prakash is also excited about what the future holds as he dreams of going the entrepreneurial way soon.
Image: Anand Prakash. Photograph, courtesy his Facebook page.
