Facebook top hacker now sells “proof of exploitability”


Anand Prakash isn’t a pentester. And yet, he expects companies to pay him to quickly exploit any security holes they might have. Who is he then?

ADVERTISEMENT

He’s been hunting for bugs since his early twenties, simply excited by the opportunity to earn some money remotely.

“I started doing bug bounty hunting during my college days when someone posted on Twitter that they got like 500 bucks from Facebook and I was like, ‘you sit in some remote part of the world and you are able to do that, right?’ Crazy thing,” he told me.

Anand made it onto Uber, Facebook, and Twitter’s lists as a top white hat hacker before taking on an endeavor to start his own company.

Big catch

Anand made a name for himself as a hacker after finding severe exploits which could’ve been abused to compromise Facebook, Twitter, Uber, and Tinder accounts, among others.

Facebook paid Anand $15,000 in 2016 for the discovery of a bug that could’ve allowed full user account takeover.

In 2018, he detailed how Tinder’s accounts could be hacked using Facebook’s account kit. Tinder awarded him $1,250 for finding the bug, while Facebook was more generous and issued a $5,000 reward.

In 2019, Uber awarded Anand $6,500 for pointing to a vulnerability that could’ve given attackers the power to compromise and control any Uber account.

ADVERTISEMENT

These are just a few of the flaws that Anand has discovered through his career as a white hat hacker.

Having discovered thousands of vulnerabilities together with his partner, Nishant Mittal, Anand now says he understands a hacker’s mindset, and, therefore, is building a platform to use that knowledge.

PingSafe exits stealth mode

Together with like-minded people, Anand launched a cloud-native application protection platform (CNAPP) that deploys “attacker intelligence” to discover vulnerabilities faster.

“I started bug bounty hunting for fun but when I was around 20 years old I realized that security is going to play a big role in people's lives. I thought that we should build out something that’s solving problems for the billions of users out there,” Anand told me.

Just last week, PingSafe announced that it had emerged from stealth mode with $3.3 million in seed funding. With over 60 employees, the company is mainly expanding in the US at the moment.

PingSafe applies what Anand calls an “attacker intelligence” to safeguard its clients. In essence, it means that it penetrates a client organization to unmask its vulnerabilities faster.

The problem with the cloud

Before the emergence of Google Cloud, Amazon Web Services, and Microsoft Azure, data management was conducted with strict control in on-premise data centers. However, with these top three cloud providers entering the scene, operations became significantly easier and scalable, leading to an amplified security challenge.

“What happens on the back end is the companies have to give access to everyone in the company, right? The developers can deploy whatever they want, right? The companies don't have complete visibility on the gaps that may happen because of a specific change which is done on these cloud providers. So that visibility is not there, the change is instant, and hackers are continuously looking out for more and more bugs. They try to find them from outside and exploit them,” Anand explained, detailing a growing security challenge within the cloud environment.

ADVERTISEMENT

Companies, recognizing the challenge, have opened bug bounty programs, paying independent security researchers for pointing out security holes and helping to patch them up. While that’s encouraging, Anand thinks that it’s not really enough.

The ultimate penetrator

There’s an interesting service that PingSafe provides. It calls the feature “proof of exploitability”.

According to Anand, traditional security tools would scan a system for, let’s say, the Log4j vulnerability, and then inform its client about the results.

“They will say you have 50,000 bugs. PingSafe doesn't say you have 50,000 bugs. It actually goes and tries exploiting them from outside like an attacker and says only 50 are exploitable.”

Anand believes that this approach could calm some nerves, letting security teams only focus on bugs that are exploitable.

Essentially, this means that Anand’s team acts as if they were malicious attackers.

“We send harmless payloads to our customer's infrastructure and say, ‘this is how someone can use this exploit to hack your infrastructure. Companies can see that and immediately act on it. That's only done for critical severity issues where the exploit is widely published, like Log4j,” Anand explained.

ADVERTISEMENT