Rafay Baloch: The Digital Exterminator

While surfing his social media account in 2008 on the now-defunct Orkut, Rafay Baloch, then 16, came across a software application meant for increasing the number of scraps – Orkut’s equivalent of Facebook posts.

To appear “cool” among his friends by accumulating a pile of scraps, the young lad clicked a link to the software only to witness his computer going through random wallpaper flips and screensaver changes. His inquisitive nature led him to research this to find out that his computer was affected by a virus, controlled by an IP address from Russia. Baloch might not have thought that the curiosity arising from this incident would one day lead him to become one of the world’s most recognized security researchers.

Featured in various national and international publications as the leading security researcher of 2014, Baloch stepped his way up the ladder of success at a very young age.

The young ethical hacker recently exposed a vulnerability in Chrome and Firefox which essentially says that the way these browsers render website addresses could expose users to malicious websites which otherwise appear to be legitimate. He received a $5000 reward for this endeavour.

He also attended Black Hat Asia 2016, the world’s premier technical security conference, held in Singapore to read his paper on Android Security. The Black Hat Conference is one of the world’s most prestigious conventions on security research and ethical hacking.

“The auditorium was jam-packed during my session,” said Baloch. “My paper on Android Security was very well-received by international researchers.”

The Black Hat Conference has been featuring IT professionals mainly from USA and India for their work in the field of information security, but Baloch got the honor to represent Pakistan at this forum and his research work received excellent response worldwide.

Owner of the blog rafayhackingarticles.net, Baloch rose to fame when he helped several organizations find security vulnerabilities in their products. He made responsible disclosures about security flaws and landed in the hall of fame of PayPal, Google, Facebook, Microsoft, Twitter, Dropbox and several other global technology companies and internet corporations.

Professional penetration tester and author of the book ‘Ethical Hacking and Penetration Testing Guide’, Baloch found remote code execution vulnerability in PayPal – an online payment transfer service – in 2012 when he was just 19. The money transfer service extended its gratitude by rewarding him with $10,000 in cash and a job opportunity which he had to turn down because he was still pursuing his bachelor’s degree.

However, the PayPal bug wasn’t his biggest disclosure.

“The privacy bug I found in Android browser is my greatest achievement by far,” the twenty-three-year-old said referring to a massive privacy bug he found in Android browser (Android Stock Browser Address Bar Spoofing) that earned him global recognition in 2014.

Among many others, Infosec Institute – one of the finest institutes for information security training – added Baloch to its list of fifteen most famous bug bounty hunters. He was also featured in an article titled, “10 famous bug bounty hunters of all time” by hackread.com – a website dedicated to discussion and news provision on core topics related to technology, cyber security, warfare, and hacking.

Currently, Baloch is working as an independent consultant for an international client in Dubai. Prior to this, he was working as Information Security Manager at PTCL headquarter in Islamabad. Baloch believes that ethical hacking and security researching is a field with great potential and growth opportunities for young individuals.

“The Pakistani youth is divided into two segments; one that is passion-driven and the other that is driven by ground realities,” Baloch said. He added that people with passion for security researching must not worry about the ground realities as the market is vast and is growing each passing day.

“New software, tools, and web apps are launching each day. Till the day there is internet, ethical hacking and security penetration will remain crucial and relevant.”

He added that this career path is not dying anytime soon as law enforcement agencies, cyber terrorism combating firms, and IT companies are recruiting ethical hackers and analysts every day.

Baloch himself took the unconventional path and opted for a career in a field where there is not much training available in Pakistan.

“I studied bachelors in Information Technology from Bahria University,” said Baloch. “Yet, I chose to become a security researcher and studied bug researching and fixing on my own.”

Staunchly against cyber crimes, Baloch covets to contribute as much as possible for the elimination of internet crimes from Pakistan and the rest of the world.

Talking about the controversial cybercrime bill, which the senate has recently passed, the information security expert was of the opinion that the bill is crucial to ensure the security and privacy of the people. In the same breath, he stressed that the law should be formed and enforced with responsibility, and both the government and FIA (Federal Investigation Agency that deals with cyber crimes) should play a responsible role in this regard. The draft bill has received severe criticism and opposition from rights groups for some of its clauses that are seen as a threat to civil liberties.

Talking about those drafting the bill, Baloch said only people with knowledge of IT and cyber crimes should decide penalty and punishment for cybercriminals in the country.

“[Information security] experts should be involved in the hearing of such cases for accuracy,” Baloch said, adding that awareness campaigns should be initiated to educate people on the repercussions of cybercrimes.

He deems such awareness essential for the safety of the users because if the people won’t have knowledge about the matter, they will never adopt precautions to save themselves from scams and other privacy related issues.

Baloch says that he has extensive plans for further advancement of this field in Pakistan. He claims that he has proposed a plan to the Government of Pakistan for a cyber security unit which is under consideration for approval. This cyber security unit will not only provide basic cybercrime related help like FIA does, but will also work for the eradication of cyber terrorism from Pakistan.

“Criminal elements are recruiting people through internet for terrorist activities,” Baloch said. “My security unit will work to rule out such attempts from the internet in Pakistan.”