In my book I talked about just how different reality is from what we see on screens and television. Television pushes drama which sells over-priced pop-corns in theaters but doesn't make awesome careers.
Today's post is about Hackers and how real life ethical hacking is different from the hacking you see on Television.
The stories we tell in Television often end with the hacker flipping keys at a couple of hundred wpm's and then raising his arms in glory when he yells "YES!" - he is in the system - he has broken the code.
And he lives happily ever after basking in the glory of new found fame and money.
In the real life however, most complications in our industry begin at precisely the point when our movie hero waves his hand in the air and yells "yes!" - especially if you are a hacker who has an ethic and wants to do the right thing.
Shubham discovered this hard reality with his experience with Ola Cabs - one of India's biggest startups:
I was working on a small side project in which I was monitoring my phone traffic. For this purpose I used MITM Proxy, which is a very light console based proxy server. As I was booking my cab I saw Ola API calls. The structuring of the API calls attracted my attention. Something was amiss here.
These calls were simple HTTP requests without any OAuth token mechanism or any other encryption to guard the APIs. One can easily replicate these calls from a console or by simply using Chrome.
The approach that Subham describes in his article is straight and simple. Interception and then impersonation of calls that you can do with any proxy of your choice. It's not the super intelligent hack that takes a Hacker sleepless nights to solve. Ola's systems were wide open waiting to be hacked literally inviting anyone who had the time and the most elementary tools for fiddling with HTTP Calls. All Shubham had to do was accept the invitation.
Shubham did experience his first rush of adrenaline after breaking into Ola's systems:
In few seconds I received a message on my phone, confirming the recharge and I was like YESSSSSS……..its done!!! I just cannot express what it was like. I just fooled one of the biggest startups with millions in funding.
But the rush soon wore off and like a responsible Hacker Shubham reported the whole episode to Ola, only to receive a "canned" response from the Ola Security Team:
We would like to take this opportunity to "Thank You" for doing a Responsible Disclosure of the bug you found to Ola.
We appreciate the concern and will try to get the bugs fixed ASAP and will keep you posted for the same.
No bounties, no recognition. If this was a movie it would end with the hero raising his hands in the air and going "Yes!" - In the real world, when Shubham tried to do that, Ola basically turned to him and said, "So What? Big Deal!".
Shubham explains his frustration with the entire episode of trying to push Ola to close a potential security threat in their own system:
1,2,3….7 days i.e. one week was over and there was no response, maybe they were busy talking to cabbies. I talked to my senior management and told them about this. They were very supportive and professional about this episode. They helped me report this issue to the management of Ola and even sent a mail to the CEO with all the details and findings of that hack (not boasting but it was a hack).
A few days later, one of their security people replied. It went something like this:
Thanks for reporting this issue to us, we will fix this and will keep you updated.
Almost a month and a half month later, I’m still waiting for a reply or an acknowledgement.
Shubham had figured out a way of hacking one of the biggest startups of India and literally steal money for cab rides. For someone who is not a professional hacker this was huge. He had gone to Ola and had reported the hack like a responsible law abiding citizen. In return Shubham was getting nothing. No Bounties, No real appreciation. No acknowledgement of just how open their systems are!
If you think Ola's cold response to people who report security hacks is reflection of how Indian companies react to security, Kamil Hismatullin bagged a mere 5000$ + 1337$ for reporting a security hole in YouTube that would have given the hacker the rights to delete any YouTube video. The only bright side of the story in this case however was that Google fixed the issue in a matter of hours. Kamil writes off the entire episode and his mere bounty with a humorous remark:
"I've fought the urge to [delete] Bieber's channel," Hismatullin wrote in his blog post. "Luckily no Bieber videos were harmed."
Bounties were a little larger in case of Facebook though which rewarded the hacker 12,500 dollars for reporting a hack that would allow anyone to delete any picture from any face-book profile.
While some choose to turn a blind eye to security, others pay out small bounties, but the actual rewards of ethical hacking seem nowhere close to what should be paid out for these vulnerabilities; both in terms of recognition and price; even if you manage to hack an Ola, a Google or a Facebook!
The point? While ethical hacking can be fun and maybe the best in the world can afford it - but generally, the importance we as an industry give to security vulnerabilities in our code, makes ethical hacking more of a life-style than a career.
To put it simply, our systems are secure, not because the code that we, as an industry, write is secure but because the effort to break our systems just happens to outweigh the rewards we are willing to give out for breaking our systems.
Is that true security? Or is that just an illusion of security? And if it is just an illusion of security, isn't that far more dangerous than no security at all?