Hackers are often viewed as modern-day pirates. While mostly true due to the security hazards they create, ethical hackers actually are very helpful in actually improving security standards. Most of these security experts perform these actions simply for the benefit of the community. Rafay Baloch is one such ethical hacker.
Baloch, also known as Pakistan’s “Top Ethical Hacking Prodigy”, has been in the headlines recently for exposing two vulnerabilities in Android’s stock (AOSP) browser. These security loopholes allow hackers to steal the mobile user’s session cookie, enabling them to perform a wide variety of malicious actions including identity theft.
He has helped securing lots of organization and has done hundreds of responsible disclosures. He is best known for being rewarded with $10,000 in cash and a job offer from PayPal, a global online payment solution, for finding remote code execution vulnerability along with several other high-risk vulnerabilities inside PayPal.
The celebrated Pakistani young hacker has not yet received the recognition he deserves in his own homeland but is making waves globally.
The world’s leading information security publications have featured Pakistani security researcher, Rafay Baloch, as one of the top ethical hackers in 2014, putting the 21-year-old Karachiite on top of their lists.
CheckMarx, a source code analysis company based out of Tel Aviv, Israel, recognised Baloch as one of the world’s top five ethical hackers who made the headlines in 2014 for exposing a serious vulnerability – a Same-Origin Policy (SOP) bypass – in Android’s Open Source Platform browser (versions older than 4.4).
“Being a Pakistani, I feel great to be recognised by an Israeli company,” Baloch said, responding to a question. CheckMarx was founded by Maty Siman, former advisor to the Israeli Prime Minister’s Office on IT security, who also worked in the computer unit of Israeli Defence Forces.
The recognition comes from a company that has, arguably, the best tool for Static Application Security Testing. CheckMarx was ranked number one for static analysis in “Critical Capabilities for Application Security Testing”, a 2014 report by the world’s leading information technology research and advisory company, Gartner.
“Contrary to common belief, many high-profile hackings in 2014 were performed by ethical hackers interested only in the benefit of the community,” CheckMarx said in a blog post on December 31, 2014, terming 2014 the year of the mega attacks, such as the Snapchat fiasco, iCloud photo leaks and North Korean orchestrated Sony Pictures hacking.
“Rafay Baloch took the world by storm after finding glaring flaws in Android’s stock AOSP browser,” read the post, putting Baloch on top of their list, which also featured ethical hackers from Israel, Egypt and Switzerland among top five in the world.
According to CheckMarx, the security loopholes identified by the Pakistani white hat “have not been addressed and are allowing hackers to steal session cookies to this very day, enabling them to perform a wide variety of malicious actions including identity theft”.
According to the world’s leading information security magazine based out of New York City, The SC Magazine, “Baloch has responsibly disclosed hundreds of vulnerabilities in his roughly six-year career in security research. His biggest discovery may be CVE-2014-6041, a bug that could allow a bad actor to circumvent the AOSP browser’s SOP”. The magazine published this on December 8, 2014 in an article titled Reboot 25: Threat seekers.
Profile of Rafay Baloch – Pakistani ethical hacker
Rafay is an active participant is bug bounty programs to help several major internet corporations improve their internet security and has been acknowledged by Microsoft, ESET and eBay for reporting bugs and flaws in their systems.
Rafay Baloch is a Pakistani independent security researcher and founder and CEO of RHA InfoSec who has been practicing ethical hacking since the age of 14. Baloch hails from Karachi city and has been into security research for more than 6 years now. He has got online certifications of OSCP, CPTE, OSWD, EWAPT.
He is a final-year computer science student at Bahria University.
His core area of expertise include Network Security and Web Application Penetration Testing, and author of “Ethical hacking and penetration testing guide”. He is specialized in finding security vulnerabilities in Web application and frameworks and browsers, bypassing web application firewalls, HTML 5 attack vectors and breaking filters of modern web-browsers.
The Pakistani AppSec expert, currently an undergraduate student, spends his free time honing his research skills, testing the robustness of applications and locating vulnerabilities for everyone’s benefits
“Ethical hacking, which makes the information world more secure, is one way we [Pakistanis] can change our country’s negative perception in the world,” said Baloch.