For 26-year-old Laxman Muthiyah, a Chennai based independent security researcher, every scroll through his social media feed has a different significance. He thinks deeply to understand the working of the websites and the functions performed by the millions of lines of code. It is followed by thinking of possible loopholes and also spotting and identifying them.
In digital space, there are many prying to take control of our accounts, hack and misuse them. Laxman, over the past 5 years, has won bug bounty amounting to over a whopping $62,000 for spotting bugs that could overthrow online hacking attempts.
Most of his rewards came from Facebook and Facebook-owned Instagram. His most recent earning amounted to a whopping $40,000 Instagram.
“It all began after I attended an ethical hacking workshop when I was in college. In 2013, I won my first bug bounty from Facebook - a princely sum of $1500 for a student”, recalls Laxman.
Although Laxman has completed a degree in computer science engineering, he considers himself a self-taught ethical hacker who learnt the tricks of the trade from workshops, free online content and months of trial and error.
His latest find involved proving to Facebook that multiple accounts could be hacked within 10 minutes.
“When we choose the forget password option, they send us a 6-digit code to authorize our login. Since it is a 6-digit code, there are 1 million possibilities. We could enter between 50-200 random codes every minute and attempt login, and it could be tried for 10 minutes. With multiple IP addresses, we could use lakhs of codes to attempt logging-in and take control of an account. I sent a video of this method to Facebook and after verifying it, they sent me the payment of $30,000 as this method has a high rate of success,” Laxman told WION.
Subsequently, he spotted another bug where the success rate was relatively lower and received a payment of $10,000.
If you’re getting ready to put your bug-hunting skills to use, remember that only a few websites encourage and reward it, whereas it is considered illegal when done without the knowledge of the website owner.
When asked if bug-hunting was a popular profession in India, Laxman said, “there is quite a community of bug hunters in India and some companies support it, but it isn’t so in the West, where there are many more opportunities. In the West, techies work full-time jobs and also take up bug-hunting assignments in their spare time. The work-life balance we have in India does not permit that”.
While bug-hunting is more lucrative than a full-time IT job, one must realize that the practice is pretty much like fishing where one could end up with a really good catch or none and we could go without a catch for months, Laxman says laughingly.
Laxman, over the past 5 years, has won bug bounty amounting to over a whopping $62,000 for spotting bugs that could overthrow online hacking attempts.