[Techie Tuesdays] Vivek Bansal - The bounty hunter who lied to his parents


Taking admission into civil engineering was almost destined for Vivek Bansal until he decided to change the course of his destiny. A software engineer by day, Vivek loves to play around with the Facebook API by night and looks for vulnerabilities in their system, which has earned him Facebook’s Bug Bounty award of $ 2000.

Vivek Bansal

Vivek comes from a middle class family and had his early schooling in a government school in Pratapgarh. The first time he came across a computer was in 2001, when he was in the 5th grade. Since then his interest in technology grew. Realizing this, his father enrolled him in a computer course at a computer centre five kilometers from his village. Vivek found his mentor at the computer center. He learnt BASIC and COBOL and even wrote a program for chess and the TV show ‘Kaun Bangega Crorepati’ while he was in the sixth standard.

His friends and teachers at school started playing these games. His joy was short lived as his parents shifted him to another school which did not have a computer lab. But the spark did not die, and he got to pursue his passion once he finished schooling.

Talking about how he lied to his parents and took up computer science instead of civil engineering, Vivek says, "Before I joined engineering, my family was pushing me to take admission in mechanical or civil engineering but my interest was in computer science. I finally went for computer science and lied to my parents that I had joined civil engineering just to make them happy.”

Mail from Facebook security confirming the bug

It was during his college days that he developed a serious interest in computer security and hacking. Initially, he started by hacking wifi passwords and giving access to his friends for free. After passing out from college, Vivek worked for InoxApps, and it was here while playing around with Facebook API that he found FB logins to be vulnerable.

"This is the second security bug in Facebook history related to posting on user's timeline. Last time in July'13, there was a guy named Khalil who found vulnerability in facebook security and posted a message on Mark Zuckerburg's wall. This time, it’s another security bug from my side," says Vivek.

Vivek shares the funny story behind finding the bug. "I am an Android developer and have developed many applications. However, my college friends never appreciated my work and would tease me saying, ‘Beta...ye programming tumse naa ho payegi’ (son, this programming is not your cup of tea)’. So I decided to teach them a lesson,” he says with a smile.

And the bounty arrives

During those days, Vivek was working on the Facebook API for his applications. “My target was to post funny messages on their walls without their knowledge. So after spending a couple of days working with Facebook API, I discovered a bug and then wrote a piece of code through which I could post on their wall or on their friend's wall without taking any respective publishing permissions from them. Then I worked more on that code and wrote it in such a way that now the posting can happen from any Web/Android/iOS/Blackberry/Windows application and can be done any number of times without taking prior permission and without informing the user."

Soon after having fun at his friends’ expense, Vivek reported this vulnerability to Facebook. The gravity of the situation can be appreciated by the fact that over 30 million people use Facebook login in mobile and web applications and there are chances this security could have been compromised. Facebook decided to nominate Vivek for the Bug Bounty of USD 2000 and also included him in the HALL OF FAME.

But that is not all, at present Vivek has discovered more loopholes in Facebook and Twitter and is working on them. (He is not allowed to talk about it until they are patched).

With this kind of knowledge it is easy to jeopardize many lives. Was he not tempted to misuse this? "I could have misused the data but coming from a simple family background, I don't think it's ethical to exploit users’ data (that includes my own personal credentials). It is enough to display my capabilities without doing any harm," says Vivek.

At present, Vivek is working with TimesCity part of Times Internet Limited and is helping them on their Android platform.

Say hi to Vivek.


Updates from around the world