Hackers for good: How Anand Prakash rescued Facebook

In the first installment in an occasional series about ethical hackers, Passcode profiles one of India's most successful freelance cybersecurity researchers known for finding – and helping fix – serious flaws in Facebook.

Bug bounty hunter Anand Prakash with his dog Whiskey at his home in Bangalore, India.

Kshitij Nagar/Special to The Christian Science Monitor

October 3, 2016

Anand Prakash is one of the tens of thousands of young Indians who have flocked here in the past several years chasing their fortunes in this city's teeming tech industry.

The deluge has transformed a once laid-back "pensioners' paradise" into a chaotic mélange of glass and steel buildings, office parks, and grinding traffic gridlock. Bangalore has become America's information technology back office, its help desk, and its customer hot line.

But unlike many of his peers working on engineering and development teams, Mr. Prakash is more comfortable breaking software. He's a hacker. In fact, he's one of the most well known in India, famous for hacking Facebook and Google.

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

No, he's not a criminal, a digital prankster, or online miscreant. He's a hacker for good – a so-called "white hat hacker." In essence, Prakash serves as one-man technical help desk for some of the most powerful software companies in the world: He roots out software vulnerabilities, reports the bugs to tech giants, and is rewarded – handsomely.

He recently earned $15,000 for reporting a single flaw to Facebook that could have exposed account details on the company's more than 1 billion users. In a blog post about the vulnerability, Prakash described how he manipulated a security vulnerability to show that anyone could reset another users' account password. In all, he’s earned more than $200,000 for reporting security issues to Facebook, Twitter, Google, eBay, and Dropbox, just to name a few. 

Ethical hacker Anand Prakash recently earned $15,000 for reporting a single flaw to Facebook.
Kshitij Nagar/Special to The Christian Science Monitor

At a time when the term "hacker" has become more associated with bad guys and foreign spies breaking into tech companies such as Yahoo or political organizations like the Democratic National Committee, Prakash provides an antidote to that prevailing narrative. He doesn't wear a black hoodie or dwell in the darker corners of the internet.

When we met at a cafe on Bangalore’s Sarjapur Road, Prakash wore neat slacks and a button-down shirt. He looked like he would be more at home working inside an H&R Block branch office than appearing in an episode of the hacker TV drama "Mr. Robot."

He had none of the studied insouciance or the condescension that many others of his ilk display to security neophytes. He's soft spoken and polite, perhaps because of his rural upbringing in the village of Bhadra, in the northwestern Indian state of Rajasthan, about 1,500 miles away from Bangalore’s often crass urbanity.

Why Florida and almost half of US states are enshrining a right to hunt and fish

He's the first engineer in a family of farmers. Prakash's father dropped out of school after 10th grade and runs a small pesticide business in the village. His mother is illiterate. "They don’t even know what I do. But they are proud of me," he says.

Prakash's journey to Bangalore began when he was 16. On a dare, he broke into a friend’s account on Orkut, the social media site Google shut down in 2014. With a little research and a basic knowledge of programming, Prakash constructed a fake log-in page where his friend revealed his account credentials. That trick launched his hacking career. 

He discovered ethical hacking while completing an engineering degree in computer science from the Vellore Institute of Technology in the south Indian coastal city of Chennai. An internship with the Cyber Police Investigation Branch of the Gurgoan Police near Delhi provided insight into how criminal hackers – or "black hats" in tech parlance – operated.

While he was still in college in 2011, Facebook launched its bug bounty program, a way of rewarding security researchers who discovered and reported software flaws to the social media giant. Since then, bug bounties have become the norm. Earlier this year, the Pentagon invited hackers to attack its sites in a bug bounty program. Apple has one now, and so does GM.

And many other young, talented Indian hackers have joined bug bounty efforts, too, looking to put their computer talents to work outside the offices filled with banal software development or tech support teams in Bangalore.

Since launching its bounty program, Facebook has paid out close to $720,000 to researchers from India - more than any other country. In fact, at 23, Prakash is already older than many in a growing cadre of hundreds of Indian bug bounty hunters. 

Prakash says he's not just hunting for software bugs for the money. He says he could earn a lot more selling vulnerabilities to people to government agencies who buy these exploits as ways of spying on adversaries or to shadowy criminal groups that use them for illegal purposes.

"I’m mainly concerned about data privacy. I do not want to harm users," he says. "There is a kind of happiness when you do something for good."

Editor's note: This story was updated after publication to correct the history of the social media site Orkut and the location of Anand Prakash's hometown.