Ehraz Ahmed

From Bharatpedia, an open encyclopedia
Information red.svg
Scan the QR code to donate via UPI
Dear reader, We need your support to keep the flame of knowledge burning bright! Our hosting server bill is due on June 1st, and without your help, Bharatpedia faces the risk of shutdown. We've come a long way together in exploring and celebrating our rich heritage. Now, let's unite to ensure Bharatpedia continues to be a beacon of knowledge for generations to come. Every contribution, big or small, makes a difference. Together, let's preserve and share the essence of Bharat.

Thank you for being part of the Bharatpedia family!
Please scan the QR code on the right to donate.

0%

   

transparency: ₹0 raised out of ₹100,000 (0 supporter)



Ehraz Ahmed
Born (1996-07-26) July 26, 1996 (age 27)
Mysuru, Karnataka, India.
EducationP.E.S. College of Engineering
Occupation
  • Security Researcher
  • fintech professional
  • entrepreneur

Ehraz Ahmed (Hindi: एहराज़ अहमद, born July 26, 1996) is an Indian Entrepreneur, FinTech professional and Security Researcher.[1] He is one of the most renowned ethical hackers in India. He is known for securing the userdata of over 1 billion users by detecting security flaws in companies like Facebook, Justdial, Airtel and Truecaller.[2] He is the CEO and founder of Voxy Wealth Management and Aspirehive.[3]

Personal life[edit]

Ahmed was born in Mysuru, Karnataka, India, on July 26, 1996. In 2016, He joined PES College of Engineering to pursue B.E. in Computer Science and dropped out in 2017 to launch his Web Security company.[3] During his 10th grade, his father survived a heart attack, and later, in 2019, he underwent open-heart surgery.[4]

Career[edit]

At the age of 14, Ahmed began his entrepreneurial career by selling Game hosting servers and started a company that later provided web hosting. At 16, Ahmed was listed to 50 Security Researcher's Hall of fame for detecting security flaws in companies like Facebook, Twitter, Apple, and Microsoft.[5][6] In 2016, Ahmed started his FinTech company, Voxy Wealth Management. In 2017, he started Aspirehive, a web security company. In 2019, he safeguarded the sensitive user data of over one billion users by finding security flaws in companies like Airtel, Justdial, Truecaller & SonyLiv.[2]

Truecaller controversy[edit]

On 21 August 2019, Ahmed found a security flaw in Truecaller's login process that could have allowed attackers to access virtually any Truecaller account. Ahmed demonstrated the flaw to Republic World by sending out a few messages on Truecaller Chat from an invalid phone number that used to be Airtel's official prepaid customer care number. Later, In an email statement to Republic World, Truecaller said it investigated the issue with the security researcher and the flaw was not reproducible.[7]

Justdial security flaw[edit]

On 10 October 2019, Ahmed found a security flaw in Justdial's Register API that exposed over 156 million accounts. The flaw allowed hackers to log into any Justdial account by placing the phone number in the username parameter. By doing so, this granted the hacker access to any person's Justdial account.[8] In a filing to the Bombay Stock Exchange, Justdial acknowledged the vulnerability and said it could potentially be accessed by an expert hacker to gather basic user information. The company said the flaw had been fixed and that there was no theft of data or financial loss to the company, its users or customers.[9]

Airtel security flaw[edit]

On 7 December 2019, Ahmed detected a security flaw in Airtel's Mobile Application API that exposed personal details of more than 325 million Indian users. The vulnerability could have allowed hackers to access the personal data of users by just using their mobile number. The security flaw in the Airtel app could have provided access to information such as the name of users, emails, birthday, residential address, and the IMEI number of the device on which the app was installed.[10]

Airtel acknowledged the issue and fixed the flaw after it was notified about it by BBC. "There was a technical issue in one of our testing APIs, which was addressed as soon as it was brought to our notice", an Airtel spokesperson was quoted as saying by BBC.[11]

On 13 December 2019, Business Insider listed Airtel's Security Flaw as one of the Biggest Data Breaches Of 2019.[12]

Web Application for Covid detection[edit]

On 19 October 2020, Ahmed developed a Web Application to determine Covid infection in chest radiographs. The machine learning model was trained on the data set of 7,084 chest X-ray images of patients infected with COVID-19 and pneumonia.[13]

Recent researches[edit]

On 12 November 2019, Ahmed detected a digital flaw in the Bounceshare app. Exploiting one of its Internal Application Programming Interface (API) allowed hackers to log into any Bounceshare account, bypassing the users’ phone number into the request. In response, it returned with the Access Token and RiderId. This Access Token can then be used to access any Bounceshare account.[14]

A few days later, On 18 November 2019, Ahmed detected an API flaw in Nykaa Fashion's internal systems that allowed a potential attacker to log in to any user account.[15][16] And on 23 November 2019, Ahmed discovered a security flaw in Truecaller that exposed user data as well as system and location information. Truecaller confirmed this information in a statement to Gadgets360 and fixed the flaw.[17] The security vulnerability allowed hackers to inject malicious links as URLs for the profile picture, exploiting anyone who would view the attacker's profile by search or through a pop-up. This API flaw would, in turn, allow the hackers to steal IP addresses along with other user data.[18]

A few weeks later, On 20 December 2019, Ahmed found a security flaw in SonyLiv that allowed attackers to fetch sensitive user information such as profile picture, email address, date of birth, name, and phone number of its registered users.[19]

On 23 October 2020, Ahmed found a security flaw in Thrillophilia's API exposing sensitive user data of 2 million registered users. The flaw allowed hackers to fetch sensitive user data of any registered user bypassing their email address in the cURL request.[20]

On 16 June 2021, Ahmed found a security flaw in Lazypay that allowed hackers to obtain user data such as their full name, gender, date of birth, and phone number.[21]

References[edit]

  1. جمعة, عوض. "منها مايكروسوفت وآبل.. تعرف على الهاكر الهندي الذي أنقذ آلاف الشركات من القراصنة". Al Jazeera (in العربية). Retrieved 2021-06-22.{{cite web}}: CS1 maint: url-status (link)
  2. 2.0 2.1 "Meet Ehraz Ahmed, the white hat hacker who is helping Facebook, Google and Airtel stay secure". CNBC TV18. 2021-03-25. Retrieved 2021-06-15.{{cite web}}: CS1 maint: url-status (link)
  3. 3.0 3.1 Bakshi, Asmita (2020-09-05). "Lounge Heroes | Ehraz Ahmed: The protector of your privacy". Mint. Retrieved 2021-06-15.{{cite web}}: CS1 maint: url-status (link)
  4. "Airtel to Truecaller: 24-YO Has Safeguarded the Data of 700 Million App Users". The Better India. 2020-11-30. Retrieved 2021-06-15.{{cite web}}: CS1 maint: url-status (link)
  5. Fatima, Nikhat (2021-02-16). "Meet Ehraz Ahmed, a Bengaluru based ethical hacker safeguarding data of 700 million app users". Two Circles. Retrieved 2021-06-15.{{cite web}}: CS1 maint: url-status (link)
  6. Pioneer, The. "Meet the eh-thical hacker". The Pioneer (India). Retrieved 2021-06-15.{{cite web}}: CS1 maint: url-status (link)
  7. World, Republic. "Security researcher discovers major flaw in Truecaller's login process". Republic World. Retrieved 2021-06-11.{{cite web}}: CS1 maint: url-status (link)
  8. "Exclusive: Justdial security flaw may allow hackers to breach pay accounts of 156 million users". Money Control. Retrieved 1 December 2019.{{cite web}}: CS1 maint: url-status (link)
  9. "JustDial fixes bug that allowed hackers access". The Economic Times. Retrieved 2021-06-15.
  10. "Airtel Admits Flaw in Mobile App Could've Exposed Data of Millions". NDTV Gadgets 360. Retrieved 2019-12-18.{{cite web}}: CS1 maint: url-status (link)
  11. Nazmi, Shadab (2019-12-07). "India phone giant fixes bug 'affecting 300m users'". BBC News. Retrieved 2019-12-18.
  12. "Airtel's security flaw only took 15 minutes to find". Business Insider. Retrieved 2019-12-18.{{cite web}}: CS1 maint: url-status (link)
  13. Oct 19, Shrinivasa M. / TNN / Updated; 2020; Ist, 17:20. "Karnataka: Mysuru-based researcher develops innovative X-ray scanner to determine Covid infection | Mysuru News - Times of India". The Times of India. Retrieved 2021-06-15.{{cite web}}: CS1 maint: numeric names: authors list (link) CS1 maint: url-status (link)
  14. "Exclusive: Flaw Left User Data Of 2 Million Bounceshare Customers Vulnerable To Hack". Money Control. Retrieved 2021-06-15.{{cite web}}: CS1 maint: url-status (link)
  15. Kar, Sanghamitra. "Nykaa fixes a data security bug". The Economic Times. Retrieved 3 December 2019.{{cite news}}: CS1 maint: url-status (link)
  16. "Flaws in code put customer data of four consumer internet platforms at risk". Mint. 17 November 2019. Retrieved 3 December 2019.{{cite web}}: CS1 maint: url-status (link)
  17. "Truecaller Flaw Allowed Attackers Harvest IP Addresses, Other User Data". NDTV Gadgets 360. Retrieved 2021-06-15.{{cite web}}: CS1 maint: url-status (link)
  18. weeks, Natasha Mathur 3; Day, 1 (2019-11-26). "Researcher Discovered A Critical Security Flaw In The Truecaller App". Mashable India. Retrieved 2019-12-18.{{cite web}}: CS1 maint: numeric names: authors list (link) CS1 maint: url-status (link)
  19. "SonyLIV Fixes Flaw That Could Allow Attackers to Fetch User Information". NDTV Gadgets 360. Retrieved 2019-12-20.{{cite web}}: CS1 maint: url-status (link)
  20. "Security lapse puts data of Thrillophilia's registered users at risk". CNBC TV18. Retrieved 2021-06-15.{{cite web}}: CS1 maint: url-status (link)
  21. "LazyPay Users' Sensitive Data Could Have Been Revealed by a Security Flaw". NDTV Gadgets 360. Retrieved 2021-06-22.
Retrieved from "https://en.bharatpedia.org/index.php?title=Ehraz_Ahmed&oldid=104500"