I was writing my script and guide for the From Noob to CyberSecurity Pro blog article (and possible video) which I started writing in June.
I wanted to prove a point about how the news makes programming and
hacking seem so easy by stating that there are 13 year old
hackers/prodigies/programmers.
Then i decided to search on google for similar fake stories since you
can’t possibily be an expert at such an young age. Leave Mozart be, he
had training from the age of 3 and of course at the age of 13 he was
proficient. Expertise comes with years of training. No wonder in that!
I ended up finding thousands of references to this young elite penetration testing mega hacker called Tahir
S
Ahsan. He learned to become a hacker at age 12! In only 1 year he was able to haaxooor the world wide web my friends!
I’ve started writting this article because I believe that we should’nt
always believe what the news is reporting. A lot of self inflated ego’s
out there. Can you really master a field in 1 year?
If you’ve had previous experience for let’s say 10years in a similar
field and are dedicated at working 8 hours a day then you can advance in
your chosen field quite fast.
But if you have no prior experience then 1 year is not even enough time
to grasp the basics.
NOTE: This article contains my personal view. It was written in June as an analysis. I’ve decided to post it now for the basic concept it contains. Most of the things are still valid today, next year and in 10 years from now.
It takes time to become good at anything. Mastery is an ongoing process of gaining experience.
Case Study on Cyber Security expertise
Aparentlly Ahsan "hacked" Google and Microsoft. Oh yeah boy. We have a
real hacker.
I was really intrigued to find out how and why,. All i could find was
that he might have reported some bugs in some apps.
That was discouraging. Why? Most of the news websites talk as if he
really hacked into something.
I’m not downplaying that a bug can be a cause for havock I’ve seen this
happen. However what I’m upset about is that the marketing/branding
scheme here seems to misinform what he actually does.
When such a thing happens I usually tend to give it NO importance. But i
was intrigued that nothing else existed about him other than the same
text repeated over and over again on all the damn websites.
It’s like the boy ran an automated script e-mailing everyone with his
great achievements.
What made me really dig into this was the fact that he claims that he
has learned hacking in only 1 year. From 12 to 13. I have to hand it to
him, he is a genious if he managed to learn it so fast.
But by closer inspection and some fiddling around I actually confirmed
my initial hunches. It’s just a script kiddie who has followed some
youtube videos. He has probably read some "elite hacking" books and has
installed all the k3wl script kiddies tools to autoh4x0r systems! He
seems to have chosen Web Penetration testing as a main theme.
A big congratulations from my part to him since he has chosen a field
which will ensure he will always learn new things and hopefully have
fun.
I’ve followed Tahir a bit on hackerone and some sites where he publicly posted his "findings".
It’s funny to say but most of the them when he published something and
they disclosed the information I started laughing out loud.
I mean this guy is really funny in the way that he has a lot of
confidence in what he’s reporting. The confidence which usually is
lacking in other people.
I wouldn’t even have the guts to report these low level things since if
I don’t have a Proof of Concept that actually works and is able to
bring down the server or make changes I’d tend to think any possible
fake "vulnerability" is just a waste of time. My time and the
developer’s time.
My initial view was that he seemed to be on the Fake Fast road to
success and knowledge.
I have to hand it to him that he’s really smart in the way he goes about
everything. Most of the disclosures are on simple XSS or CSRF injection
stuff that I’d disconsider from the start because I figured out everyone
must possibly already know about this, right? WRONG. Seems he enjoys
posting low level things.
Click here to hide the examples
Some examples
I mean, a real hacker for sure! Below are a few
https://hackerone.com/reports/153628
Full path disclosure (Oh my, i;ve seen thousands of these and never
thought of sending an e-mail!)
Sure, seeing the full path can help a hacker determine some information.
From the website above we know it’s a windows system..But that can
easily be found out with other means:D
Yes, we know the path.. Now what? If you can’t find a way to get access
this info is near useless since if you get access you’ll know the path
anyways..
Using DirBuster, are we?
https://hackerone.com/reports/153580 - nonces that are reusable for 12 hours or more seem to be vulnerable to.. stupidity.
https://hackerone.com/reports/147182 Finally, found something.. No e-mail verification when changing e-mail address form settings. Sure, this is true
https://hackerone.com/reports/152834 He tries to fill in a bug bounty for injected headers. He barely understands request vs response architecture in HTTP/HTTPS
https://hackerone.com/reports/148763
https://hackerone.com/reports/147919
So the famous hacker claims he can send spoofed e-mails coming from a
certain domain.
Dude this is so stupid it makes me slap myself. Of course anyone can
send spoofed e-mails form any e-mail address.
Even if they go to INBOX it doesn’t mean it’s really from that e-mail
address. It all depends on a lot of factors and mail servers along the
way
How each server does verification and such DKIM keys, SPF field etc.
Jesus Christ.
Anyway, you should always include SPF(Sender Policy Framework) in your
DNS records and DKIM setup is mandatory, even Amazon Simple Mail
services recommends it so no one can spoof your e-mails
By looking at all of the disclosed ones (couldn’t access undisclosed
ones) I could only state that 99% of the time it was such a small issue
that it’s actually a nonissue.
One thing is for certain, he did gain a lot of XP (experience) points
and knowledge.
https://hackerone.com/reports/149027 Hello, mommy, I didn’t get an email to inform me that i’ve changed my password, I think this is a security issue! WTF? Really now?
https://hackerone.com/reports/164039
Reflected Self-XSS. Reflected SelF XSS is great.. for playing around. In
real life if the website has some security countermeasures it’s
unusable.
The only way I think you could make something out of this is by making a
iframe/link on your website and having a javascript logger send datat to
your own server.
But this needs a PoC
https://hackerone.com/reports/148911
Yes, I’ve known this since the early days of software development. Don’t
give details if a user account exists or not. Not when logging in, not
when resetting the password.
But come on, if someone wants to know if a user or email exists they
might try to register it. D’OH!
Let’s be real for a moment. Most modern web apps block brute forcing so
why bother even clicking on the button to report this?
This is not a vulnerability, it’s just praying for attention! This
little boy is praying for attention because he probably won some
bounties from Microsoft.
Yes, he’s been on the wall of fameof MIcrosoft. Sure. 100 other people
have been on that same blog post
Anyway, the developer posted a specific screenshot showing that the text
is the same for random username that doesn’t exist and one that does.
If this is the way a true hacker works then oh my god I should create
accounts on all bug bounty websites and let the money pour
in:))
Most of the serverities where 0.0 and they where just disclosures of
"hey your webserver leaks Version Information"
No kidding, most webservers do!
https://hackerone.com/reports/137480
Oh bummer, OAUTH2 access tokens are killed but you have a refresh token
that is still valid temporarily. Sure, session hijacking IF you manage
to get your hands on it.
https://hackerone.com/reports/141125 Yey, he made some money for disclosing the version of NGINX.
WE WANR MORE!
There are many others but i think it’s enough since i’ve had my load of
fun for the moment. I really should consider doubling my pentest
documentation.
I mean, the clients need to know everything even if it doesn’t have
anything to do with real vulnerabilities, right?
+
Conclusion(s)
A lot of marketing and branding and I have to hand it to him and whoever
is helping him out. He’s recieved a lot of attention.
Does he know cyber security? I’d say he memorized a few things and
always goes for those. Just like some Managers and HR people use jargon
all the time.. I’m curious how he’s on the Reverse Engineering stuff.
How good he’s with Linux and real networking security.
Real threats and vulnerabilities disclosed by this bad boy? Probably
0.
Real high severity threats publicly disclosed by me? 0
Ah, the reasons why I didn’t go fulltime in Cyber Security? The world is
full of scriptkiddies.
Well if this guy claims to be a Security Researcher and the entrance
barrier is so low then I’m probably one too without realizing it!
Talking about the
Dunning–Kruger
effect!
The ONLY reason he got into security research was that from posting 100
bugs he might get 5 of low severity right and make some money to buy
games.
Now, I’ve only analyzed this guy, I’m pretty sure there are hunderds
like him doing the SAME things:)
No real security discoveries here. Just in for the $$.
The Fake Fast road to success and knowledge is a path that many people
want to take. It’s why the self development industry has gotten so much
attention and why there are thousands of books written on suc htopics.
The truth is that no one is going to become rich nor famous overnight.
It takes time, hardwork and dedication.
People look up to those who seem to have it all. Most don’t realize that
appearances and branding make things look better than they are. When
someone is telling you that he’s doing awesome he’s probably not doing
any better than you do.
If you want to achieve something, start preparing and doing the work
needed for 1 hour a day, every day at the same time. 1 hour is enough to
become proficient in 10 years.
Even if you’re 20 right now think that you’ll still live to work untill
your 70’s. That 1 hour a day means that in 20 years you will become an
expert. Want to do it faster? Increase the time spent.
Mastery comes to those who are willing to invest enough time.