Muhammad Ahsan Tahir

Muhammad Ahsan Tahir (born 18 July 2003) is a Pakistani ethical hacker and well-known security researcher, who at the age of 13 ethically hacked Microsoft, Apple, Google, Sony, the US Department of Defense and many other tech giants. His security research interests include finding vulnerabilities in web-applications, mobiles, and software-infrastructures, and bug bounties.
Life
Tahir grew up in Karachi, Pakistan and currently studies in Fazaia Degree College. His first contact with computers was at around 8 years of age, when his father bought him a Pentium 3 computer. Until 2016, Ahsan had an interest in photography. In 2016, when his own portfolio website was hacked, he tried to fix the vulnerabilities in his website, which is when he found that he could also find and fix vulnerabilities in other websites, and his security research journey began.
In March 2017 Tahir was invited to the United States to meet the teams of HackerOne and Bugcrowd.
Tahir has been interviewed by multiple media sources and has been called the youngest security researcher to be listed in tech giants like Microsoft, Apple, even the US Department of Defense and others.
Bug bounty and research acknowledgments
Microsoft Hall of Fame
In June 2016, Tahir conducted a pentest on the Microsoft's online services. He found a vulnerability which could have compromised Microsoft's security. Since Microsoft has its own bug bounty program, Tahir reported the vulnerability to them. Microsoft's security team validated and patched the vulnerability. For finding the vulnerability and working ethically, Microsoft acknowledged Tahir by listing his name in Security Researcher Acknowledgments for Microsoft Online Services - June 2016 Even after being acknowledged by Microsoft, Tahir continued his research in their online services.
Kaspersky Lab Hall of Fame and reward
In November 2016, Tahir found that Kaspersky Lab, a cybersecurity and anti-virus provider, was also running a bug bounty program. He was curious whether he could break the security of a company which was itself related to cybersecurity. He found multiple security vulnerabilities in Kaspersky services. He reported these through the HackerOne platform. The Kaspersky security team patched the vulnerabilities. For this ethical act, Kaspersky Lab acknowledged Tahir's name in their Hall of Fame (Thanks) Page Because the vulnerability was critical, Kaspersky also sent Tahir some gifts.
Second time awarded by Microsoft
After being acknowledged by Microsoft in June 2016, Tahir continued his research into Microsoft's services. In October 2016, he again found a high-risk vulnerability, and reported this to the vulnerability response team, who patched it. Microsoft listed his name in Security Researcher Acknowledgments for Microsoft Online Services - September & October 2016. This time, because the vulnerability's risk was high, Microsoft also rewarded Tahir with a $500 cash reward and some gifts.
Sony Corporation Hall of Fame & Reward
Ahsan was played Watchdogs 2 on his friend's Playstation, done with playing; packing up the Playstation, Ahsan noticed the domain playstation.com on the box of the console. When he went back home he searched to find wether if Sony have a bug bounty program or not? And he found that Sony is running a bug bounty program, with the domain playstation.com in scope for it. In January 2017, he started his research in playstation.com and found that the developers had deployed a filter to protect the website from Cross-Site Scripting attacks. Ahsan was able to bypass the filter (He also posted a Proof-of-Concept (PoC) video of the bypass on his YouTube channel) He reported the vulnerability to the responsible team, they fixed the vulnerability and acknowledged Ahsan's name in their [https://secure.sony.net/hallofthanks Hall of Thanks (2017)] and also rewarded him a t-shirt as a gift. Ahsan posted the pictures of the shirt on his twitter.
Apple Inc. Hall of Fame
Being fascinated with Apple Inc. products, Ahsan in his daily life, used iPhone, Macbook and other Apple products. So Ahsan thought, why not try to hack his favourite company? Ahsan decided to conduct a pentest in Apple Inc. online services, after some deep research he found a vulnerability which could have led to disclosure of sensitive information of Apple's users. Ahsan acted ethically and reported the respective vulnerability to the apple's responsible disclosure team. For this vulnerability, Apple Inc. acknowledged Ahsan by enlisting his name in Apple Inc. Hall of Fame (Apple Web Server notifications) - this is the list of people who reported potential security vulnerabilities to Apple.
Ethically hacking the United States Department of Defense
After the U.S Department of Defense bug bounty program being launched in HackerOne, Ahsan started his research in the websites of DoD (Army, Navy, DoD, Defense, Airforce) and after multiple pentests being conducted by Ahsan, he found a number of critical vulnerabilities including SQL Injection, Multiple Cross-Site Scripting, Local File Inclusion, Arbitrary Code Injection, and many other vulnerabilities, and probably reported these vulnerabilities. For these, U.S Department of Defense acknowledged Tahir by enlisting his name in the U.S Dept. of Defense Security Hall of Fame. After being listed in Hall of Fame of US Department of Defense, Ahsan is still continuing his research in US DoD bug bounty program. Ahsan is the youngest ethical hacker to be able to find multiple vulnerabilities in the US DoD.

 
< Prev   Next >