Anand Prakash eats the security protocols at large companies for breakfast.
After successfully hacking Facebook, Uber and Twitter, Prakash has managed to discover a security flaw in dating app Tinder. Prakash has managed to hack Tinder in a way that would allow him to access anyone’s Tinder account, and gain access to their personal messages, profiles, and the ability to right or left swipe. The vulnerability was in part because Tinder uses Account Kit, which is a Facebook product that lets people register for apps by using just their phone numbers or email addresses without needing a password.
Prakash discovered that a malicious attacker could simply log into Account Kit by entering the victim’s account number — Account Kit was not verifying the mapping of the phone numbers with the OTPs. After using the “aks” acccess token that’s stored as a cookie to log in, the attacker had full access to the victim’s tinder account.
A lesser man would’ve tempted to log into random accounts and right-swipe themselves with abandon, but Prakash instead chose to disclose the vulnerability to Tinder and Facebook. The two companies quickly fixed the bug. And thanks to his efforts, Prakash was awarded $5000 (Rs. 3,25,000) by Facebook and $1250 (Rs. 81,000) by Tinder.
This isn’t the first time Prakash has managed to earn some serious moolah after discovering security vulnerabilities with major apps. In 2015, he’d been awarded Rs. 10 lakh by Facebook for detecting a bug on their systems. He was also paid Rs. 3 lakh by Uber when he told them of how he’d discovered a way to take an unlimited number of rides for free. Last year, he’d been paid Rs. 3.25 lakh by Twitter after he’d shown how he could take over any account and tweet from it.
Prakesh is just 24, but he’s already become one of India’s best known security professionals. He’d graduated graduated from Vellore Institute of Technology in 2014 with a degree in Computer Science. He’d been interested in internet security right from college, having interned with the Haryana Police in its Cyber Security team. After graduating, he’d worked with Flipkart for two years as a Security Researcher.