Ehraz Ahmed, 24, the entrepreneur and ethical hacker revealed security flaws in companies such as Airtel and True Caller and safeguarded the data of over 700 million app users in 2019 alone
By the time he was 16, Ehraz Ahmed says, he was on 50 halls of fame—of companies like Facebook, Netflix, Microsoft and Apple. “If you find a security flaw in a company like Facebook, then they acknowledge your efforts by putting your name on their hall of fame. That is a term they use," says the 24-year-old, a tech entrepreneur and ethical hacker who now runs three startups. “These companies all had security teams of their own, so to catch these flaws you have to be better than them."
Ahmed, who started with a passion for gaming and set up game and web hosting servers, moved to the cybersecurity field while he was still in school. He has been dabbling in stocks since he was 18 and runs two web platforms—and has just set up a third.
In 2017, he started Voxy Wealth Management, a fintech start-up which offers a web platform to scan and research financial markets. The same year, he started Aspirehive to provide web security to companies and startups—his interest in data protection, he says, started with the desire to secure his own data. At present, he is working on Stacknexo, a single platform to provide solutions for hosting, server, malware and security issues. The idea came to him two years ago, when his brother had a serious accident and shared his professional aspirations.
In August last year, Ahmed began rooting out security flaws in big companies to keep the tension at bay as he waited in hospital for his father’s open-heart surgery to end. By December, he had discovered and reported data breaches to 10 companies, including Airtel, Truecaller, Justdial and Nykaa.
In the case of Airtel, which has over 300 million users, the vulnerability lay in the Airtel app’s API (application programming interface), which could be exploited to access personal data—such as address, sex and IMEI—through a user’s mobile number. This took Ahmed a mere 15 minutes to crack. Business Insider called it one of the “biggest data breaches of 2019".
Ahmed found a similar flaw in Justdial, which had over 150 million users. “I was shocked when I found the flaw with Justdial—the platform has a payment gateway! There is JD Business, where a merchant can create an account and accept payments. I could have diverted the payment to some other account. Luckily (for them), I approached the company and got it fixed," he says.
Ahmed jokes about how people started assuming he had a company “hitlist". The reality, he says, was far less exciting—“I started with my own phone, I wanted to ensure the apps I had on my phone were secure, then I wanted to ensure my telecom provider was secure. And through that, I protected the data of over 700 million users in those four months—that’s 70 crore users on various apps."
By the age of 10-11, Ahmed, who grew up in Mysuru, had started accompanying his brother, a web developer, to the cyber cafe. He would try to understand software, ways to build a website, and, of course, use social media such as Orkut and Facebook.
As he grew older, he started going on his own. “The nearest cyber cafe was close to school. We would bunk classes to go there. You have to buy credits— ₹30 for an hour—and you have an account where you can log in from with an ID and password. I hacked my friend’s account and would use his credits in the cyber cafe and surf the web for free," he says. “Unethical hacking was the first step towards ethical hacking," he laughs.
After the family bought a computer, Ahmed would spend nights on it. His entrepreneurial bent became evident early—as someone who played a lot of Counter-Strike, he decided to sell game hosting servers and web hosting servers.
When his father first suffered a heart attack, Ahmed, then in class X, decided to move on from the server business, which wasn’t doing too well, and enter the cybersecurity field. He quickly made a mark.
After school, he joined an engineering college, but dropped out after his first semester to set up Voxy Wealth Management, following it up with Aspirehive. Through it, as well as his own website, Ehraz.co, and referrals, he has helped secure close to 1,000 websites so far.
Stacknexo, the latest venture, is run remotely. Mysuru, says Ahmed, is a “small town, and not a tech town". The 10-member team, scattered around India and other parts of the world, has been on a work-from-home mission to launch the platform. He does hope to have a physical setup once the pandemic subsides.
Ahmed believes that a country like India, with a population of more than billion, offers considerable opportunities in the data protection space. “I think CEOs need to invest in security the same way they invest in infrastructure. If a person is trusting you with their information, they are uploading their driving licence and Aadhaar for KYC (know your customer requirements), you have to keep it secure," he says.
“Companies must acknowledge and encourage ethical hackers so that they can help you find flaws and help you fix them—they are helping you rectify the infrastructure and not leaking the data."