Engineering student Arun Suresh Kumar reported two significant security-related bugs to Facebook.
Arun Suresh Kumar’s first tryst with computers was a Pentium 3 processor with 128 MB RAM.
“I used to play games on it,” says the lad who has participated in and won bounties for his skills in cracking and fixing security bugs — Bitcasa Bug Bounty; AT&T Bug Bounty being some popular ones.
Arun was in Class 12 when he discovered his love for Web technology and is now inspiring several young minds to take notice of this career stream.
A final year student of computer science and engineering technology at the MES Institute of Technology and Management, Chathannoor, Kollam, Kerala, Arun would often test security tools on platforms like Google and Facebook to find out if they were vulnerable.
Between April 2016 and August 2016, Arun, 20, spotted two technical bugs for which he has been rewarded approximately Rs 21 lakh ($10,000 in April; $5,000 and $1,000 in May and $16,000 in September) by the Facebook team.
“We appreciate all the researchers who work closely with our teams to improve the security of Facebook products. We’re happy to recognise and reward Arun for his excellent report,” Melanie Ensign, who works for Security Communications at Facebook, told Rediff.com
Arun’s father Suresh Kumar is a clerk at the panchayat office in Kollam while his mother Nathalakshmi is a housewife.
His younger brother Akhil, 18, is in the first year of computer engineering at MES, Kollam.
In a telephone conversation with Rediff.com’s Divya Nair, Arun spoke about his dream to make the Internet a safe place for all.
When did you spot the first bug?
In April, while researching a security tool on Facebook, I found a bug through which one could easily hack another user’s password and take over the entire account.
I wrote to Facebook’s Web security team and they acknowledged the bug. I was rewarded for my report in parts –$10,000 in April; $5,000 and $1,000 in May through Bugcrowd, a crowdsourced security platform.
Tell us about the bug.
Facebook, as you know allows users from across the world to create and manage pages. There are pages for business, celebrities and important people, some of which are managed by a user, say a business manager.
During my research on Web security, I realised that the programme written for transferring pages is not foolproof.
For example, if there is a page on a celebrity, let’s say Shah Rukh Khan, which is managed by Business Manager A who also created it.
If for some reason Shah Rukh wants to change his business manager, the management of the page will be transferred to a new user, says Business Manager B who will be allowed to make edits and manage the page thereon.
During the transfer process, which includes sharing of passwords etc, there is no step to verify the sender and new receiver’s details.
My research revealed that it would take a hacker less than 10 seconds to hack the page, access and change its key details, including passwords.
Watch this video to know more about the bug (external link)
On August 29, around midnight, I wrote to the Web security team at Facebook about the bug and how a certain page can be taken over by a new user without any checks.
The e-mail was acknowledged the following day, August 30 at 6.52 am.
Was the bug fixed?
A few hours later, the same day (August 29) I received a message from Facebook’s security team member Neal Poole, saying the issue had been addressed and they were working on a temporary and permanent solution. I was also constantly checking.
On September 6, I wrote to them, stating the bug had been ‘patched’.
When did you receive the prize money?
On September 16, security team member Rusty informed me that Facebook had decided to pay me a bounty of 16,000 dollars for the report.
The e-mail said: ‘A majority of the bounty is for the page takeover capability of your exploit, but while investigating your report we discovered and fixed another issue as well, so the bounty is a little higher because of that. You can expect the standard longer payout message later in the week.’
I received the money the same day.
What was your parents’ reaction when you received the money?
Since this was a security error and the information could be misused, I had only informed my parents about this. When they got to know that Facebook had acknowledged my report, they were excited.
What do you plan to do with the money?
I intend to use it to fund my higher studies.
Since it was a private meeting, the security team had scheduled it at a restaurant. We had an interesting and informative chat. The staff was very experienced and open to feedback.
They appreciated my interest in Web security and suggested that I continue testing their site tools.
After completing my engineering, I have been asked to send my profile. It was encouraging to know that if deemed fit, I might be referred for a role in the team.
Did you visit the Facebook HQ?
Yes, I did. I went there in the evening. It is a huge office and even around 7 pm, I could see a lot of people working. Maybe they were in the night shifts.
I found the office to be spacious and the staff to be friendly. The work environment looked good too. It’s a dream for anyone to work in an organisation like that.
Did you get to meet Mark Zuckerberg?
Have you got any job offers yet?
Are you aware of UST Global? I have a private interview at their Trivandrum office. It’s a big tech company and it would be a privilege to work with them.
Would you like to work in India or abroad?
I would prefer to work in India.
What are your future plans?
I am passionate about Web security and development, so would like to pursue something around it. My dream is to make the Internet safer for all.