How Rafay Baloch, the Pakistani ethical hacker, earned $5000 reward?

One of the leading issues we are facing today is about our image. Whatever the reason are, our impression and the worldwide image is not getting better. Therefore, whenever some positive news makes its waves, we tend to feel overjoyed.

Certain individuals are doing their best to change the image and convert it into positive. One such individual is Rafay Baloch, who recently made headlines by winning a $5000 reward for exposing a security bug in leading tech browsers.

The story was about Google Chrome, Firefox and few other web browsers who have awarded Rafay, being an ethical hacker, with $5000 under bug bounty program. It is not the first time that the young man has made the headlines; in fact, he has had coverage in international media outlets for a range of contributions to cyber security.

While explaining the latest security issue, Rafay Baloch identified, “Let’s start by understanding how do we identify or differentiate between a real and fake page on the web? It’s the URL or address bar that defines. Usually, the addresses are written from left to write (the typical English text), but some languages are right to left like Urdu and Arabic. Due to the same, a web browser may get confused about showing the page and may lead a visitor to a fake page and risk any information leak as a result.”

He has also explained the flaw in a blog post. According to him, it could be used to trick users into supplying sensitive information to some malicious site only because the website (user landed on) looks exact and legitimate version as per the address box in the web browser.

Here’s How It Works:

This vulnerability (dubbed as address bar spoofing) works because some languages display right to left (Arabic and Hebrew for example).

Now if you take a neutral right-to-left character (like slash), it can be used to flip a web address also to display right-to-left.

He gives an example ofا/ that would instead appear in the address bar of browsers asا/

Now, if someone clicks on the link in the spam email, message or Tweet; the user appears to be going on, but the site would display information and content from the IP address.

Ordinary users might not understand this difference in a logical order and display order and may fall into the trap. This can lead to identity theft and much more since the attacker has controlled the only reliable security indicator.

Has it Been Fixed?

According to Rafay, the bug has been fixed in desktop versions of the browsers, but 75% of mobile browsers are yet to fix it. Since they are working on it, the names and other details of the browsers remain confidential as per responsible disclosure policy NDA.

The users are advised to update their browsers to the latest version and be careful when opening up spam links, or a website with the right to left addresses.

Cybercrime Bill and Ethical Hacking:

Regarding the impact of recently adopted PECB 2015, he was of the view that this would have far-reaching and negative implications for ethical hacking in Pakistan.

While sharing his concerns over the cybercrime bill, he was of the view that. “State has mixed cyber crimes with cyberterrorism, and there is a lack of clarity/differentiation between the two. Secondly, any access to “critical infrastructure” has been made punishable but who will define what critical infrastructure is? The definition may be different for different users of various perspectives.”

He deplored the ambiguity and lack of clarity in certain clauses that may lead to giving too much power to state institutions who will define the terms and also determine the level of breach.

“Ethical hackers operate all over the world, and their job is to diagnose security issues and informed the concerned. They do it to expose vulnerabilities not exploit them. However, cybercrimes bill does not differentiate between black and white; instead, treats both with the same rod.”

He lamented any lack of awareness campaign for cyber crimes before the implementation of the bill. “The government is treating the symptoms and not the disease. There has been no awareness campaign about cyber crimes and the legislation. President Obama has allocated $90bn for cybercrime awareness and related campaigns; but how much did we spend or allocate for such campaigns?”

In order to improve and secure Pakistani cyberspace, the starting point has to be an awareness campaign, and it should start at home and schools. Kids and adults need to be trained in their respective educational institutions about the impact of any wrongdoing on cyberspace.

Other Notable Achievements:

It is pertinent to mention that this is not the first time that Rafay Baloch has been rewarded for bug identification. In fact, he made headlines in 2012 when PayPal rewarded him $10,000 for bug identification and also offered the job.

“Yes, they offered me the job, but I couldn’t avail since I was still an undergraduate student and had to complete my studies.” Confirms Rafay Baloch

In addition to this, he has identified a series of bugs in Android that have been covered on BBC, CNN and other leading publications. He claims to have pioneered ethical hacking in Pakistan and set a new trend which is being followed by thousands today.

More recently, he has attended Black Hat Asia. “Yes, I represented Pakistan in Black Hat Conference, and I was the first Pakistani to have ever attended it.” What makes the young man a real inspiration is the fact that leading tech giants like Google, Twitter, and Facebook, etc. have his name in their halls of fame.

Rafay is Computer Sciences graduate from Bahria University Islamabad and currently working with PTCL as National Security Manager.

Leave a Comment