URL Spoofing: Interview With Bug Bounty Hunter Narendra Bhati – E Hacking News
On 24th December, E-Hacking News conducted an interesting interview with Mr. Narendra Bhati, a Bug Bounty Hunter/Ethical Hacker. He was recently awarded a total of $20,500 by Apple Security. Narendra also discovered an Address Bar Spoofing Vulnerability in multiple browsers.
Q.1 Can you please start by introducing yourself to our readers?
My name is Narendra Bhati, I’m a Bug Bounty Hunter and Ethical Hacker. I belong to a small town called Sheoganj in Rajasthan. Currently, I’m working as a lead Pentester in Suma Soft Private Limited for the last 7 years.
Q.2 How do organizations react when you find a bug and go to them?
Especially Google, Apple, and Hacker One, I believe that the response time has been better than the last time. Nowadays, everyone is working from their home and they can look into the issues quickly as they do not have to go to the office, which saves time.
Last year, I had a few bank accounts and I tested these banking apps and found that these applications were vulnerable to very basic hacking attacks. I tried to contact the bank but as these banks do not have any bug bounty program for security, I contacted their customer support service and after 2-3 months, still, no response came. The customer service couldn’t understand what I was trying to explain. But now, four out of 5 banks have fixed the issue, one still remains.
In the case of RBI, I was a bit afraid that if I try contacting RBI, it might come back at me asking why did I attest any application. But in similar cases, I’ve found the same issues with the mutual funds’ apps.
Q.4 Did these banks respond to you or just silently fixed these issues?
I sent an email to these banks and tried to contact the higher authority via LinkedIn. I found some senior security team and contacted them. Luckily, they were able to understand me and fix the issue within seven days. So basically, it took around 6 months to close the issue.
Many Indian organizations are not ready for opening the Bug Bounty Program. Why do you think it’s not happening here?
I’ve had a very bad experience with Paytm, I spent around 2-3 months and found 30+ bugs. I think why the hunters are not interested in the Indian Bug Bounty Program and why it’s not doing good is because the amount of work that hunters invest in finding a bug is not equal to what they are paid.
For example, in a typical scenario, an International Bounty program has a price range of $500-800, whereas in India they offer only $80-100. So, the hunters think “why should I focus on the Indian bug bounty program when they offer such low reward” and the same works for me also.
The basic idea of URL spoofing is user trust. In URL spoofing, what an attacker can do is, whenever you click a URL, you’ll see that the URL belongs to Google.com but the content is shown from the attacker’s domain, so the attacker can show any desired content using the trusted domain.
Meanwhile, the user could attest to this data thinking the content shown from Jio is real but the attacker could violate this or do a phishing attack. I think the URL spoofing impacts banking websites the most, the attacker can use any trusted banking domain in India to create a fake page and the victim will most likely attest to that.
Q.6 What made you interested in Bug Bounty?
It all began when I was in 8th class and my father bought a computer worth INR 18,000 which was a lot back then. Also, my cousin Karan Gehlot influenced me a lot and brought my interest in computers. After doing my BCA from a local college, I went to Ahmedabad for an Animations course and enrolled myself. The course was to start after 10 days, and in that time, I came across a cybersecurity workshop ad on Facebook.
I struggled a lot with stammering and lacked self-confidence but somehow, I went to that workshop. On the 2nd day, I talked with the organizers of the workshop and asked them that “I want to do a job and get in cybersecurity.” So, I started my journey with that organization as a Head Trainer of the Ethical Hacking course and I was also learning side-by-side, I worked for two years there, and in 2014, I joined Suma Soft.
Q.7 When you found the vulnerability in Jio Browser, did the company respond?
I contacted Jio via Twitter and they responded immediately, I shared all the information with them but after 2-3 mails, they stopped responding to me, I don’t know why. Recently, they renamed the browser to ‘Jio Smart Pages’ from Jio Browser and fixed the issue, but they didn’t reply to me back.
Q.8 Is that the common thing, that the companies don’t respond to but silently fix? If so, why do you think it happens?
That’s what I’m talking about, the Indian programs, they don’t respond. They’ll sweet talk to you in the beginning but once they receive the required information, you cease to exist for them. The companies have a brand image in the market, and if they disclose any information regarding any issue, it may affect their brand value.
Q.9 Any advice to our readers on Cybersecurity?
I give the same advice to all my connections/friends and I’ll give the same to you, don’t stop learning. Whenever you do a Bug Bounty Program, just stick to that, don’t change your timeline, spend a good amount of time in research and you’ll surely have good results.