Cybersecurity Influencer Trusted by the Silicon Valley
Vinod has discovered bugs, glitches, gimmicks, implementation flaws as well as threatening inadequacies in security in major websites and software of Silicon Valley corporates and technology firms. Subsequently, he has also aided them in rectifying these shortcomings and improving the overall security of their systems.
Vinod firmly believes that technology can make our lives easier, provided the technology assures uncompromising security – something that may seem far-fetched in today’s hack-prone tech industry, but it is more possible than sighting a unicorn. He has proved that it is possible through rigorous penetration testing. His ethical hacking and his bug bounty hunting escapades has helped many notable firms to take note of the inadequacies in their applications and software prior to them being exploited by malicious hackers.
“If you think technology can solve your security problems, you don’t know technology, and you also don’t know security.”
Vinod’s Contributions to Cyber Security
As an ethical hacker, Vinod loves what he does. From discovering zero-day vulnerabilities that have a zero-day time interval between discovery and exploitation to session hijacking where a cookie is predicted or sniffed and then exploited, to various SQL injection vulnerabilities, Vinod has discovered and reported critical points of entry and inconspicuous flaws in WordPress, Joomla, BWNL, W3Schools, BitDefender, and popular e-Commerce Portals. Had these vulnerabilities been left undetected, they could have adversely affected the lives of millions of people.
No system, software, application or network is impregnable at first, and there is always a risk of exposure to attack. But the attack surface can be made so insignificant through practice and persistence. By employing proven security precautions, and their sustained maintenance, any system, software, application or network can eventually become resilient. Security, in a sense, is like walking on a rope strung tightly across a valley. One must balance out the risks associated with security flaws as soon as they are discovered and keep moving to find another risk before it is exploited.
Vinod has found zero-day vulnerabilities in WordPress, one of the most popular content management system. This allowed WordPress to take note of these vulnerabilities before they could affect the scores of WordPress users.
Joomla is another popular content management system that had undetected zero-days. Vinod discovered, reported, and helped rectify these zero-days.
Session fixation is a method of exploitation where the application doesn’t invalidate or close sessions or has some inconsistencies in the way in which it handles multiple sessions of a user. These inconsistencies between sessions can pave the way for attackers to perform a simple SQL injection to gain access to the web application.
W3Schools is a platform where thousands of users visit to learn every day. The website uses embedded elements within iframes in almost every page. Vinod identified an iframe vulnerability where a hacker could easily replace the destination of the iframe and redirect users to a malicious website.
Vinod has also contributed to the security of system security software. BitDefender, an antivirus software developed by the Romania based BitDefender, LLC, had a vulnerability that hackers could use to manoeuvre a series of blind attacks that leverage how the software responds to each query. Vinod discovered and reported it to the company.
BSNL had an SQL database vulnerability where the database is attacked with random inputs to elicit responses (error messages) to determine its structure, which can then be used to exploit it. Vinod discovered and reported this vulnerability in 2010.
Virgin Media, a leading telecommunication company based out of the UK also had an SQL injection vulnerability in its web application which was found by Vinod in 2013 and later rectified.
A stored cross site script is a malicious script (code) that is injected into a user’s browser by faking trustworthiness, usually possible because of inadequate processing of user inputs by a web application. PBBoard Forum, a forum where large number of users interact, and one which receives a large number of user inputs was susceptible to this attack. Vinod helped to rectify this vulnerability.
By performing a directory traversal attack, a malicious user is able to access restricted directories, files, and folders which they do not otherwise have access to on the server. Vinod found one such loophole in a popular e-commerce portal’s website in 2013 that was later patched.
The PHPAuction script is a widely used script on auction-based websites that, if implemented without standard security procedures will allow hackers to execute malicious codes even by using third party hosts to access restricted files or gain an administrator’s control. Vinod has identified one such vulnerability in a website that uses the PHPAuction script.
Vinod hacked into a Job website that uses the PHPJobSite script to determine its resistant to attacks. He identified and helped resolve a session hijacking vulnerability that involves hijacking incomplete or truncated sessions that are not fully closed by predicting cookies stored on a system from the incomplete session.
PHPinstant Gallery script is a photo gallery script used on websites across the internet. HTTP requests such as clicking on a photo from the gallery can be taken advantage of to run a malicious script in response to the request (Reflective XSS) or it could be stored on the website and could simply be run when the user visits the website (Stored XSS). Vinod has helped resolve both these vulnerabilities in the PHPinstant Gallery script.