If you are a technology buff you have definitely heard of Rafay Baloch. The 21 year old Pakistani who has helped Google identify two major vulnerabilities in Google’s Android.
Rafay is a professional penetration tester and participates in bounty programs, helping major Internet corporations improve their security. He is also the author of ‘Ethical Hacking and Penetration Testing Guide’, his first book on hacking and penetration testing.
The Bugs
The first bug was reported by Rafay on August 13th, 2014. He identified that there was a security loophole that could allow a bypass of the SOP protection.
According to PCWorld.com, “The SOP prevents scripts from one domain from interacting with data from a different domain. For example, scripts running on a page hosted on domain A should not be able to interact with content loaded on the same page from domain B.
Without that restriction, attackers could create pages that load Facebook, Gmail or some other sensitive sites in an invisible iframe and then trick users into visiting those pages in order to hijack their sessions and read their emails or send Facebook messages, for example.”
Same Origin Policy (SOP) is an integral part of most browsers such as Internet Explorer, Mozilla Firefox and Google Chrome.
According to Forbes.com “Right at the start of September, security researcher Rafay Baloch released details on an Android bug that has now been called a ‘privacy disaster’.”
The report also states that this bug affects anyone that is not running the latest release, Android 4.4.
“That means as many as 75% of Android devices and millions of users could be open to attack,” says Forbes.com quoting Google’s statistics.
One month on from reporting the first bug, Rafay has hit the jackpot again and has reported another SOP bypass vulnerability in the browser’s versions prior to Android 4.4, which allows attackers to steal personal data from Android phones.
Based on information from mobile security firm Lookout, approximately 45% of Android devices carry a browser with both these vulnerabilities.
Not the first time
Rafay has been commended by major technology blogs and publications for identifying these loopholes; however this is not the first instance where Rafay has identified a major security issue for a global technology company.
He has already been rewarded $10,000 cash and offered a job by PayPal for whom he found a remote code execution vulnerability along with several other high-risk vulnerabilities in their online money transfer service.
These achievements by Rafay go to show the potential and talent of us Pakistanis. Regardless of our county’s current circumstances, stories such as this make us proud of our nation.
