I was writing my script and guide for the From Noob to CyberSecurity Pro blog titled “How to start learning to become a white hacker and sites for improving your hacking and cyber security skills ”
I wanted to prove a point about how the news makes programming and hacking seem so easy by stating that there are 13 year old hackers/prodigies/programmers. + Then I decided to search on google for similar fake stories since you can’t possibily be an expert at such an young age. Leave Mozart be, he had training from the age of 3 and of course at the age of 13 he was proficient. Expertise comes with years of training. No wonder in that!
I ended up finding thousands of references to this young elite penetration testing mega hacker called Tahir Ahsan. He learned to become a hacker at age 12! In only 1 year he was able to haaxooor the world wide web my friends!
NOTE: Funnily enough, since the moment I published this article, I began receiving thousands of requests per day to try to hack into my site, it may or may not be related, most of them are stupid and I don’t even use those apps/software, but anyway, some other script kiddies are playing around :)
I’ve began writing this article because I believe that we shouldn’t always believe what the news is reporting. A lot of self inflated ego’s out there. Can you really master a field in 1 year? If you’ve had previous experience for let’s say 10years in a similar field and are dedicated at working 8 hours a day then you can advance in your chosen field quite fast. But if you have no prior experience then 1 year is not even enough time to grasp the basics.
NOTE: This article contains my personal view. It was long ago June as an analysis. I’vedecided to post it now for the basic concept it contains. Most of the things are still valid today, next year and in 10 years from now.
It takes time to become good at anything. Mastery is an ongoing process of gaining experience.
Why Those who boast are not really hackers - MOdesty is the key
Let’s stop for a moment and please understand that those who boast, go on public
They attract attentions to themselves because they want to inflate their egos.
I can tell you that many so called hackers who have been “caught” and are now “public figures” were not really smart enough, they where, and probably still are script kiddies. A script Kiddie is someone who uses automated tools to break into systems, they have no knowledge of programming, system administration, networking (how the internet works) or anything else. They just use something they’ve found online and usually do not know how to cover their tracks, nor do they posses any modesty.
Anytime you break into something, you don’t just go around talking about your achievements, it attracts attention. Plus, most who have been caught, didn’t just break in, they most notably did illegal things which may include cloning of credit cards and where in organized crime.
Case Study on Cyber Security expertise
Aparentlly Ahsan “hacked” Google and Microsoft. Oh yeah boy. We have a real hacker. I was really intrigued to find out how and why,. All i could find was that he might have reported some bugs in some apps. That was discouraging. Why? Most of the news websites talk as if he really hacked into something. I’m not downplaying that a bug can be a cause for havock I’ve seen this happen. However what I’m upset about is that the marketing/branding scheme here seems to misinform what he actually does.
When such a thing happens I usually tend to give it NO importance. But i was intrigued that nothing else existed about him other than the same text repeated over and over again on all the damn websites. + It’s like the boy ran an automated script e-mailing everyone with his great achievements.
What made me really dig into this was the fact that he claims that he has learned hacking in only 1 year. From 12 to 13. I have to hand it to him, he is a gENiUs if he managed to learn it so fast. + But by closer inspection and some fiddling around I actually confirmed my initial hunches. It’s just a script kiddie who has followed some youtube videos. He has probably read some “elite hacking” books and has installed all the k3wl script kiddies tools to autoh4x0r systems! He seems to have chosen Web Penetration testing as a main theme. + A big congratulations from my part to him since he has chosen a field which will ensure he will always learn new things and hopefully have fun.
I’ve followed Tahir a bit on hackerone and some sites where he publicly posted his “findings”.
It’s funny to say but most of the them when he published something and they disclosed the information I started laughing out loud. + I mean this guy is really funny in the way that he has a lot of confidence in what he’s reporting. The confidence which usually is lacking in other people. + I wouldn’t even have the guts to report these low level things since if I don’t have a Proof of Concept that actually works and is able to bring down the server or make changes I’d tend to think any possible fake “vulnerability” is just a waste of time. My time and the developer’s time.
NOTE: Example of idiotic reports such as: “Your server responds with a VERSION NUMBER!!!” -> It can be a usefull information if you have a vulerability, but it’s not a vulnerability in itself.
My initial view was that he seemed to be on the Fake Fast road to success and knowledge. I have to hand it to him that he’s really smart in the way he goes about everything. Most of the disclosures are on simple XSS or CSRF injection stuff that I’d disconsider from the start because I figured out everyone must possibly already know about this, right? WRONG. Seems he enjoys posting low level findings which have no real value. XSS/CSRF are dangerous IF they can be saved in a database and in certain circumstances, the ones he reported were not useful.
Some examples
I mean, a real hacker for sure! Below are a few
https://hackerone.com/reports/153628
Full path disclosure (Oh my, i;ve seen thousands of these and never
thought of sending an e-mail!) +
Sure, seeing the full path can help a hacker determine some information.
From the website above we know it’s a windows system..But that can
easily be found out with other means:D +
Yes, we know the path.. Now what? If you can’t find a way to get access
this info is near useless since if you get access you’ll know the path
anyways.. +
Using DirBuster, are we?
https://hackerone.com/reports/153580 - nonces that are reusable for 12 hours or more seem to be vulnerable to.. stupidity.
https://hackerone.com/reports/147182 Finally, found something.. No e-mail verification when changing e-mail address form settings. Sure, this is true
https://hackerone.com/reports/152834 He tries to fill in a bug bounty for injected headers. He barely understands request vs response architecture in HTTP/HTTPS
https://hackerone.com/reports/148763 + https://hackerone.com/reports/147919 + So the famous hacker claims he can send spoofed e-mails coming from a certain domain. + Dude this is so stupid it makes me slap myself. Of course anyone can send spoofed e-mails form any e-mail address. + Even if they go to INBOX it doesn’t mean it’s really from that e-mail address. It all depends on a lot of factors and mail servers along the way + How each server does verification and such DKIM keys, SPF field etc. Jesus Christ. + Anyway, you should always include SPF(Sender Policy Framework) in your DNS records and DKIM setup is mandatory, even Amazon Simple Mail services recommends it so no one can spoof your e-mails
By looking at all of the disclosed ones (couldn’t access undisclosed ones) I could only state that 99% of the time it was such a small issue that it’s actually a nonissue. + One thing is for certain, he did gain a lot of XP (experience) points and knowledge.
https://hackerone.com/reports/149027 Hello, mommy, I didn’t get an email to inform me that i’ve changed my password, I think this is a security issue! WTF? Really now?
https://hackerone.com/reports/164039 + Reflected Self-XSS. Reflected SelF XSS is great.. for playing around. In real life if the website has some security countermeasures it’s unusable. + The only way I think you could make something out of this is by making a iframe/link on your website and having a javascript logger send datat to your own server. + But this needs a PoC
https://hackerone.com/reports/148911 + Yes, I’ve known this since the early days of software development. Don’t give details if a user account exists or not. Not when logging in, not when resetting the password. + But come on, if someone wants to know if a user or email exists they might try to register it. D’OH! + Let’s be real for a moment. Most modern web apps block brute forcing so why bother even clicking on the button to report this? + This is not a vulnerability, it’s just praying for attention! This little boy is praying for attention because he probably won some bounties from Microsoft. + Yes, he’s been on the wall of fameof MIcrosoft. Sure. 100 other people have been on that same blog post + Anyway, the developer posted a specific screenshot showing that the text is the same for random username that doesn’t exist and one that does.
If this is the way a true hacker works then oh my god I should create accounts on all bug bounty websites and let the money pour link:[in:))] + Most of the serverities where 0.0 and they where just disclosures of “hey your webserver leaks Version Information” + No kidding, most webservers do!
https://hackerone.com/reports/137480 + Oh bummer, OAUTH2 access tokens are killed but you have a refresh token that is still valid temporarily. Sure, session hijacking IF you manage to get your hands on it.
https://hackerone.com/reports/141125 Yey, he made some money for disclosing the version of NGINX.
WE WANT MORE!
There are many others but i think it’s enough since i’ve had my load of fun for the moment. I really should consider doubling my pentest documentation. + I mean, the clients need to know everything even if it doesn’t have anything to do with real vulnerabilities, right?
Conclusion(s)
A lot of marketing and branding and I have to hand it to him and whoever is helping him out. He’s recieved a lot of attention. + Does he know cyber security? I’d say he memorized a few things and always goes for those. Just like some Managers and HR people use jargon all the time.. I’m curious how he’s on the Reverse Engineering stuff. How good he’s with Linux and real networking security. Real threats and vulnerabilities disclosed by this bad boy? Probably close to 0. Real high severity threats publicly disclosed by me? 0 + Ah, the reasons why I didn’t go fulltime in Cyber Security? The world is full of scriptkiddies. + Well if this guy claims to be a Security Researcher and the entrance barrier is so low then I’m probably one too without realizing it! Talking about the Dunning–Kruger effect ! The ONLY reason he got into security research was that from posting 100 bugs he might get 5 of low severity right and make some money to buy games.
Now, I’ve only analyzed this guy, I’m pretty sure there are hunderds like him doing the SAME things:) + No real security discoveries here. Just in for the $$. + The Fake Fast road to success and knowledge is a path that many people want to take. It’s why the self development industry has gotten so much attention and why there are thousands of books written on suc htopics. The truth is that no one is going to become rich nor famous overnight. It takes time, hardwork and dedication.
People look up to those who seem to have it all. Most don’t realize that appearances and branding make things look better than they are. When someone is telling you that he’s doing awesome he’s probably not doing any better than you do.
If you want to achieve something, start preparing and doing the work needed for 1 hour a day, every day at the same time. 1 hour is enough to become proficient in 10 years.
Even if you’re 20 right now think that you’ll still live to work untill your 70’s. That 1 hour a day means that in 20 years you will become an expert. Want to do it faster? Increase the time spent. + Mastery comes to those who are willing to invest enough time.
