advertisement
It is raining bug bounties for Indian ethical hackers and cybersecurity researchers as now, an Ahmedabad-based security researcher Bipin Jitiya has won Rs 23.8 lakh ($31,500) from Facebook for identifying a bug in its social networking platform and a third-party business intelligence portal.
Jitiya, 26, identified the web security vulnerability in internal blind Server-Side Request Forgery (SSRF) in the source code of a publicly accessible endpoint, built using tools from MicroStrategy, that performed custom data collection and content generation.
MicroStrategy has partnered with Facebook on data analytics projects for several years. Jitiya reported the bug to the MicroStrategy's security team, who acknowledged it, saying the issue has been mitigated.
In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. In typical SSRF attacks, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organisation's infrastructure, or to external third-party systems.
"I created a scenario that shows how sensitive information leakage may be useful for launching specific attacks like path traversal and Server Side Request Forgery (SSRF). If an attacker is able to learn the internal IP addresses of the network, it is much easier for him/her to target systems in the internal network," explained Jitiya.
The bug has now been fixed.
On a question, whether he would join Facebook cybersecurity research team if given an offer, Jitiya told IANS: "I would like to stay in India and work as a security researcher for Indian firms. I am not a bug bounty hacker".
Last month, a 27-year-old Indian security researcher Bhavuk Jain grabbed $100,000 (over Rs 75.5 lakh) from Apple for discovering a now-patched Zero-Day vulnerability in the Sign in with Apple account authentication.
The Zero-Day vulnerability could have allowed a hacker to break into an Apple user's account who log into third-party apps like Dropbox, Spotify, Airbnb and Giphy (now acquired by Facebook) and more.
"Indian ethical hackers and security researchers have come of age, and are now creating headlines the world over with their unmatched skills," said Jitiya.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)