Rahul D Kankrale (30) an independent cybersecurity expert from Kopergaon village near Shirdi in Maharashtra. He does not have formal education in ethical-hacking but has helped thousands of companies including tech-giants fix their bugs.
Shirdi: A geek from Kopergaon village near Shirdi in Maharashtra will be giving a tech-talk at a cyber-security event at Singapore jointly organized by Facebook and Google on March 30. Rahul D Kankrale (30) an independent cybersecurity expert has not taken any formal education in ethical-hacking but have helped thousands of companies including tech-giants to fix their bugs.
MyNation spoke to Kankrale, who have recently bagged two over $1,000 bounties from social media platform Twitter and Facebook. Kankrale has so far notified bugs in 1,800 websites out of which 1,200 have been patched.
He will be speaking at BountyCon at Singapore on March 30 organized by Facebook and Google after scoring third in Capture the Flag competition (CTF) among over 400 researchers.
Talking about his latest bounty, Kankrale said that there are two Android apps for Twitter - one is standard, while the other one is a lighter version. He spotted the problem in the Android version of the Twitter light app.
“I found that by JavaScript injection vulnerability a hacker could run a malicious application that could steal file of the user or manipulate the notification. I reported the case with Twitter for which they paid a bounty of $1,000,” Kankrale said.
Similarly, Facebook paid him $1,500 for reporting a social engineering attack.
Also read: 10 days and counting: How much longer for BJP's website to revive?
“Facebook never took social engineering attacks like phishing as a security issue. On FB android app if you open any link it will open in its internal browser. When I did a vulnerability assessment of that browser I found that the internal browser was vulnerable to address bar spoofing. By address bar spoofing a user’s browser address bar can be altered to force the browser to display web pages as chosen by the attacker. Through this one can steal login id or other important details,” Kankrale said.
In the past few years, Kankrale has earned more than Rs 30 lakh by reporting a bug. He claims that India has a huge potential as there are many IT students and with a boost to digital India, cyber security space is only growing.
“Not many know about bug-bounty can be a full-fledged carrier. Even the Indian companies are paying good money for reporting a bug on their platform. Indian companies even pay as much as $4,000 for bug reporting. So the Indian market is only growing and has huge potential for cyber researchers,” he said.
Dynamics in India has changed so much that Kankrale sitting at a small village near Shirdi but have assisted state police in their investigation along with helping Indian corporates to fix the bugs on their digital platform.
Kankrale did his engineering from Nasik but never took a formal education in cybersecurity. I have always interested in computer and technology but when I was doing engineering nobody knew about hacking. I started with tricks on Orkut and then I started scanning YouTube videos for technical know-how. I learned everything through the internet. This field is changing every day so one has to be always updated.
He has recently discovered a method which can fetch anyone’s IP address over WhatsApp, which companies are usually reluctant to share with law enforcement agencies.
This is said to be achieved by making the potential victims click on a link which is sent as a WhatsApp message. The link is said to appear without any preview, unlike the regular links that show on the messaging app. The link exploits a user’s natural tendency of clicking on any received ‘mysterious’ page link. This has helped security agencies in tracking criminals using WhatsApp on foreign-generated numbers or dead connections.
Read Exclusive COVID-19 Coronavirus News updates, at MyNation.