From Free Food to Free Flights: Kanishk’s Journey

According to The 2016 Bug Bounty Hacker Report, approximately 20% of our hacker population live in India, making it the second-most prolific bug hunting nation on the planet.

Kanishk Sajnani is a young hacker who lives in Ahmedabad, Gujarat, India. He made headlines recently by blogging about some of his work.

Kanishk has had some incredible success as a self-taught hacker. And he has experienced some of the same challenges all ethical hackers face when attempting to report security issues to companies.

Just ask Kanishk Sajnani which is simpler -- finding bad bugs in big companies or finding someone in management to fix a problem -- and you may guess what he’d say.

When the young engineering student found his first vulnerability in Faasos, India’s only vertically-integrated on-demand food company, he immediately reached out to the CEO and CTO.

The bug enabled access to card numbers, addresses and order history through emails and mobile numbers. He was able to order free food without being detected. That’s a pretty cool feeling as a young kid. And he responsibly reported it so it could be safely resolved.

Faaso’s indifference didn’t deter Kanishk; in fact, it amplified his natural curiosity. “I was always interested in tech products as a kid,” he explained. “If I had no idea how something worked, I would go for the old and gold ‘Trial & Error’ method. On the very first day of my college, I opened up my personal laptop to each little piece possible.”

The lure of bounties didn’t have much pull, either. “It was actually the curiosity. I was excited to see how someone can have the upper hand on a very well developed application.”

In the space of only a few months, Kanishk took that curiosity and applied it to few of India’s large corporations.

One such company was Air India.

For Kanishk, the leap from super cheap eats to seriously discounted flights was a natural one. “I’d always think, just like ordering free food, is it possible for someone to travel across the world for free too?”

Photo of Kanishk from a mid-day.com feature article. Image credit: mid-day.com

The answers he found were hardly theoretical. As he recounts in How I Could Have Traveled the World for Free, a narrative of his exploits published on Medium, he successfully hacked Air India, SpiceJet and Cleartrip for virtually free world travel and other perks.

Not only did he book a free business class flight from Delhi to San Francisco via Air India, he booked a free SpiceJet trip from Ahmedabad to Goa. Both airlines provided legitimate travel tickets and never flagged him. In fact, SpiceJet mistook his report as a request for an internship. The bug he found at the Cleartrip site provided full, free access to any of the company’s services, including travel, hotel and event reservations.

Finding the bugs was the easy part.

The difficulty was finding someone to whom he could actually report the vulns. Contact information was scarce, and he resorted to writing countless emails to reach anyone who cared. He found that to be “surprising and amusing,” noting that “some senior official from the IT/ Security team should always be approachable by the public.”

Clearly, Kanishk is into bug hunting for the love of it. While bagging a big financial reward doesn’t matter very much to him, he appreciates a sincere nod of thanks or a grateful reward of swag.

And that’s in-line with what we see from our thousands of hackers: 51% hack to do good. We congratulate Kanishk on his success and look forward to future reports! He is one of our dedicated hackers, the “neighborhood watch” of the internet.

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.