For Bug Hunters in India, Apple Has Become a New Honeypot
Apple has released the latest version of its operating system, iOS 14 to iPhones, and iPad OS 14 for iPads. It has drawn criticism from developers for not giving enough time to submit their apps for review, and you can expect issues to crop up for some time. This isn’t great for end users — but for a fast growing community of ethical hackers and security researchers from India, Apple having issues will sound like a chime ringing in opportunities to make money.
Global platforms including Bugcrowd and HackerOne are also seeing a tremendous growth of Indian researchers reporting bugs on their platforms. According to HackerOne, 64,000 new hackers signed up from India between January and July, compared to 29,000 in the same period in 2019. In this time, the number of bounties paid out also nearly doubled, helped by huge payouts by companies like Apple.
Narendra Bhati, 28, moved to Ahmedabad in Gujarat from a small town called Sheoganj in Rajasthan to fulfil his dreams and begin his journey as an animator. However, after reading a blog post on Facebook about hacking, he decided to relinquish the first instalment he paid for an animation course, and moved towards cybersecurity.
Eventually, Bhati joined an institute to train students and corporate employees about ethical hacking — alongside learning about hacking and penetration testing on the Web. He spent nights researching security loopholes and how to report them, and in the day, teaching students about the basics of white hat hacking.
In 2016, Bhati was rewarded with his first bounty from Russian search engine Yandex for reporting a flaw. The bounty was of $109 (roughly Rs. 8,000).
The Rajasthani millennial has by now found around 500 bugs so far for various companies and those included several global companies, including Facebook, Google, LinkedIn, and Microsoft, among others. But in early June, he started putting efforts on Apple products to find security issues in the company’s software and infrastructure.
In a follow-up to a reported bug, on August 6, Apple paid Bhati a bounty of $16,000 (nearly Rs. 12 lakh). This was the biggest bounty he received so far. He made that news public through a tweet, though he didn’t reveal the extent of the flaw as some other ones related that vulnerability are yet to be fixed.
“As compared to [some] other companies, they are [the security team at Apple] very transparent in providing updates to reporters,” Bhati, who is currently working as a Lead Pentester (Assistant Manager) at Suma Soft, told Gadgets 360. “I had a very bad experience in some other programmes where reporters needed to wait for weeks to get a response.”
The Cupertino company launched its Security Bounty programme to all security researchers in December last year and offers rewards of $1 million (roughly Rs. 7.36 crores) and more, which has attracted many security researchers — commonly known in their community as bug bounty hunters — in the country. Some have been paid with heavy bounties, while others are honoured in the company’s hall of fame — a dedicated support page where the company gives credit to people for reporting potential security issues in its Web servers.
Indian security researchers moving towards Apple’s Security Bounty programme gained even more momentum after Delhi-based mobile app developer Bhavuk Jain won $100,000 (nearly Rs. 74 lakhs) for finding a critical bug in the ‘Sign in with Apple‘ feature.
Jain came into the cybersecurity world three years ago, and he first spotted a bug in Yahoo that eventually made him a security researcher. It took four hours to find the bug in Sign in with Apple, which could have allowed hackers to gain access to the linked user accounts. He reported the flaw to Apple in the middle of April, and after receiving a go ahead from the company, he disclosed the flaw publicly through a blog post on May 30.
“Apple is a highly security-focussed company,” 28-year-old Jain told Gadgets 360. “It might be a bit difficult to find issues not impossible. Every software has bugs.”
Similar to Jain and Bhati, Armaan Pathan from Gandhinagar in Gujarat received a bounty of $6,000 (nearly Rs. 4.5 lakhs) on August 1. He forayed into the ethical hacking industry in 2015 — after interestingly learning some basic penetration skills from Bhati — and started his journey as a security researcher by participating in bug bounty programmes available through platforms including Bugcrowd, HackerOne, and Synack. So far, the 25-year-old found over 100 security vulnerabilities in companies including Dropbox, Facebook, Google, and Twitter, among others, before turning his focus to Apple.
“I still remember that I started testing that application back in December 2018,” he said. “I was not actively looking for the issues there, but in late July, I found an issue and I reported it.”
Apple provided an acknowledgement to Pathan about the bug he reported in a couple of days, though it took 15 to 20 days for the company to fix that flaw and send the bounty.
Aside from Bhati, Jain, and Pathan, there are several security researchers in India who have reported bugs to Apple, though they weren’t eligible to receive any bounties.
Varun Gupta, 21, from Alwar, Rajasthan, is amongst the young Indian researchers who have been featured on Apple’s hall of fame for reporting a security misconfiguration in one of Apple’s servers.
“I have seen many researchers posting about the hall of fame and rewards they are getting from Apple, so I also thought to give it a try,” said Gupta, who is currently pursuing Bachelor of Technology from the University of Petroleum and Energy Studies in Dehradun, Uttarakhand.
Alongside Gupta, Ritik Chaddha has also been honoured by Apple for finding an information disclosure on Apple’s subdomain. The bug was leaking the internal system information and the internal API calls being made by the system. Though it wasn’t affecting end users, it could have helped malicious attackers to gain information about Apple’s internal network, said the 20-year-old, who is from Bulandshahr, Uttar Pradesh and is a student of the Bachelor in Computer Application programme at Amity University, Noida.
“I was actively fuzzing the Apple subdomains, looking for any vulnerabilities and luckily, I came across this endpoint,” he told Gadgets 360.
Big money, brand value as prime reasons for attraction
The listing on the Apple Security Bounty programme webpage shows that the company pays bounty payments for a list of issues that exist across its products and services. It starts with a payment of $25,000 (nearly Rs. 18.5 lakhs) for finding flaws in iCloud, lock screen, and user-installed apps. However, the bounty payments go up to $1 million — roughly Rs. 7.37 crores — for bigger issues.
“Apple has been running a lucrative programme as its rewards are huge compared to other bounty programmes,” said Rohit Gautam, Founder of Mumbai-based ethical hacking institute Hacktify Cyber Security.
“Bug hunting involves a lot of effort,” said Himanshu Sharma, Co-Founder of crowdsourced bug bounty platform BugsBounty.com. “Imagine spending hours to find a critical vulnerability and getting paid $100 (roughly Rs. 7,300). This is a demotivation for a lot of bug hunters and is a reason why people tend to lose interest in a programme and switch to some different ones.”
In addition to huge bounties, Apple’s brand value is making it easier for the company to persuade Indian talent to find flaws in its system.
Vikash Chaudhary, Founder of Pune-based cybersecurity consultancy and training firm HackerEra, told Gadgets 360 that the brand value makes a major impact especially in case of freshers who are looking for a job as a security researcher or an ethical hacker at a reputed firm.
“Strong knowledge is required in order to hunt for these types of targets,” said Ojas Bisariya, 20, a security researcher from New Delhi who ventured into the bug hunting field just three-four months back.
New Delhi-based Diksha Chhabra, who has reported over 200 vulnerabilities, said that bug hunters focussed on all tech giants equally whether it was Apple, Google, or Microsoft, but as Apple recently provided high payouts to some people in the country, that made a shift in the focus.
Chhabra, 22, also reported some server-based critical and high vulnerabilities to Apple. She, however, told Gadgets 360 that those were already reported by some other researchers before her.
India as a leading market of security researchers
With many young people joining ethical hacking as a career, India has become a vast market of security researchers. These people are helping various global companies fix their security issues. At the same time, finding bugs and reporting them through a bug bounty programme are enabling Indian security researchers to earn far higher than what they would get through a traditional job.
“[Some] hackers actually became millionaires doing just bug bounty,” said Sharma of BugsBounty.com. “This has definitely attracted a lot of security enthusiasts from India, especially college students.”
HackerOne said that the top ten hackers from India are earning 15 to whopping 90 times the median salary of software engineers in the country.
“Hackers in India contributed 18 percent of vulnerability submissions in 2019 and have ranked in the top five earning countries each of the past three years,” said Luke Tucker, Director of Community at HackerOne, in a statement to Gadgets 360. “Hackers in India epitomise hacking for good and reinforce that ethical hacking is becoming a viable career for many young professionals around the world.”
Just like HackerOne, Bugcrowd also sees a growth in ethical hackers from India. A recent report released by Bugcrowd, which analyses 3,493 survey responses along with ethical hacking activity on the platform between May 1, 2019, and April 30, 2020, mentioned the majority of researchers who collected bounty payments live in India, followed by the US and Canada.
Lack of Indian bounty programmes
Despite growing in terms of new security researchers joining the field and having participants even from small towns and rural areas, India is lacking when it comes to bug bounty programmes. Various Indian companies don’t prefer giving any payouts to researchers reporting flaws and vulnerabilities in their systems. Also, there are some companies that don’t even bother responding to the reports submitted by the researchers.
“Many Indian companies try to save their money by not hosting bug bounty programmes, which in turn goes to attackers for ransomware kind of attacks and end up paying 10 times more than what they could have paid in a bug bounty,” said Hacktify Cyber Security’s Gautam.
Shubham Gupta, who works as an Assistant Manager for the Risk Advisory department at Deloitte for over two and a half years, alongside actively reporting bugs on Bugcrowd and HackerOne since March 2014, believes that it’s quite difficult being as a full-time bug hunter in India mainly due to lack of rewards by local companies.
Many Indian startups nowadays offer bug bounties to researchers to get their vulnerabilities reported and fixed actively. However, researchers believe that the payouts offered are quite low when comparing with what they get from any international entity.
“A lot of companies do not pay the fair amount to the researchers,” said Sharma of BugsBounty.com.
He added that a fair bounty amount would help motivate researchers to participate more that ended up helping secure the infrastructure, rather than focusing on global giants like Apple.
For now, an enormous number of researchers still prefer going to the global platform as they offer them wider access and global exposure.
“We are living in a digital world where 100 percent secure is a myth and still, we have so few programmes,” Soni said.
Is iPhone SE the ultimate ‘affordable’ iPhone for India? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.