Published: 17th July 2019
Meet the 19-year-old from Thiruvananthapuram who catches bugs on Facebook for a living!
K S Ananthakrishnan found a bug in WhatsApp which had an impact of corrupting our data
These days, teenagers are never away from their phones. This is a common complaint in the digital era. But today, we are introducing you to a teenager who has made his way into the Facebook Hall of Fame and has won a bounty of $500 at the age of 19! Unsurprisingly, he has detected several other bugs in various online platforms but this one was the game-changer. Meet 19- year-old Ananthakrishnan K S , a student of Mount Zion College of Engineering, Pathanamthitta, who came across a major bug in WhatsApp.
How did you come across the bug?
I test for bugs in several web applications, WhatsApp being one among them. In the past, I have won several bounty awards for detecting them. When I found the bug in WhatsApp, I notified it to Facebook. Facebook systems are secure and it is not easy for a bug to infiltrate them as the entire system is well protected. I tried to get to the root of the issue and reported it when I found it. Although I can't reveal the entire methodology, in short, I would say that it was a case of memory corruption and its impact could have led to the misuse of WhatsApp data, including media.
When did you find it?
I found it in the middle of this year. I did not report it immediately because I was trying to analyse the complete impact of it. Because it often happens that you might come across a smaller bug which may get connected to multiple issues to reveal a bigger or even worse bug. So you have to wait to understand the impact.
Remote code execution has a greater impact. So the first symptom I noted was the crashing of a person's WhatsApp app, following which the complete system would be under the attacker's control. I had to find out what the bug's impact could lead to. I reported it in January and got my first reply within the next three days. After this, I sent them a video to prove the presence of the bug. Since it is a huge company and they get a huge number of bug reports every day, they wanted me to provide them with more details. They also gave me the contact of the security engineer and asked me to prove it.
Later, they followed up on this and replied that they would flag it to the development team. After a month, they said that they had fixed the bug and requested me to check up on it. I tested it and confirmed that the bug was fixed. In three weeks, they gave me the bounty amount of 500 dollars. And as a feather on top of my cap, my name came up in Facebook's Hall of Fame, a prestigious list of people who are rewarded for detecting bugs.
You said that you are a bug hunter. How long have you been doing this?
I have been doing this for the past two years. I had seen a few expert bug hunters at work and gradually developed an interest. Initially, I struggled to find a bug myself. I didn't know how to follow up on it. Not everyone shares the method they use to find bugs, so if we want to do it ourselves, we have to find our own way of detecting the bug. We use certain tools to test them, Burp Suite is one of the important ones and it helps in checking the security.
Can you share more about the bug hunting process?
For bug hunting, there are two important platforms: HackerOne and Bugcrowd. There are several public and private programmes available. When we test the public programme, they reward us and with that, we are provided an access to private programmes.
Do you consider bug hunting as your career?
No, bug hunting is not my career. It can be considered a side career of sorts. India needs to take more care when it comes to Information Security and develop more scope in these areas.
Can you talk to us about your college and how you found an interest in IT?
I just completed my first year of college. There are several professors who have been supporting us but we need the support of students too. I have conducted a programme called 'Capture The Flag' for a tech festival in our college. I had planted a known bug and nobody could find it. I gave them eight hours to solve it. At night, I made a conference call and explained the technique to finding it. That's when they finally found it.
When did you start learning about certified ethical hacking?
I am not particularly interested in ethical hacking but I am interested in the position of an Offensive Security Certified Professional (OSCP). There are many levels in the same. In OSCP, you are made to completely use a specific tool. That is, from a basic understanding, it is taken to an advanced level.
What are your future plans?
I would like to take up a career in Information Security. Or else, I would be interested in becoming a web application developer.