Over the last 5 years, Laxman Muthiyah has been paid US $62,000 by Facebook.
Admit it! All of us spend time scrolling through our Facebook and Instagram feeds, in anticipation of ‘whats’s up with everyone else’. At the same time, there are many prying eyes that wish to take control of our accounts, hack and misuse them.
But for 26-year-old Laxman Muthiyah, a Chennai based independent security researcher, every time he scrolls through his social media feed, he thinks deeply to understand the working of the respective website and the functions performed by the millions of lines of code. It is followed by thinking of possible loopholes and also spotting, identifying them.
Laxman is no novice at this. Over the last 5 years, he has won bug bounty amounting to a whopping US $62,000, most of which were for Facebook and Facebook-owned Instagram. His most recent earnings being US $40,000 - in two instalments - from Instagram.
“It all began after I attended an ethical hacking workshop while in college and it was in 2013 that I won my first bug bounty from Facebook- a princely sum of US $1500d for a student," recalls Laxman.
Although he has completed a degree in Electronics and Communication Engineering, Laxman considers himself a self-taught ethical hacker who learnt the tricks of the trade from workshops, free online content and months of trial and error.
His latest find involved proving to Facebook that multiple accounts could be hacked within a duration of 10 minutes.
“When we choose the forget password option, they send us a 6-digit code to authorize our login. Since it is a 6-digit code, there are 1 million possibilities. We could enter between 50-200 random codes every minute and attempt login, and it could be tried for 10 minutes. With multiple IP addresses, we could use lakhs of codes to attempt logging in and take control of the account. I sent a video of this method to FB and after verifying it, they sent me the payment of US $30,000 as this method has a high rate of success," Laxman told WION.
Subsequently, he spotted another bug where the success rate was relatively lower and received a payment of US $10,000.
If you’re getting ready to put your bug-hunting skills to use, remember that only a few websites encourage and reward it, whereas it is considered illegal when done without the knowledge of the website owner.
When asked if bug-hunting was a popular profession in India, Laxman said, “There is quite a community of bug hunters in India and some companies that support it, but it isn’t as much as in the West, where there is much more opportunity. In the West, techies work full-time jobs and also take up bug-hinting assignments in their spare time. The work-life balance we have in India does not permit that.”
While bug-hunting is more lucrative than a full-time IT job, one must realize that bug hunting is pretty much like fishing where one could end up with a really good catch or none, and we could go without a catch for months, Laxman says laughingly.
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
 "Laxman Muthiyah")
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
)
){kind=small}
){kind=small}
)
)
)
)
)
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}