Rafay Baloch - Ethical Hacker & Cyber Security Expert.

He has been listed among the "Top 5 Ethical Hackers of 2014" by CheckMarx. Subsequently he was listed as one of "The 15 Most Successful Ethical Hackers WorldWide" and among "Top 25 Threat Seekers" by SCmagazine. Baloch has also been added in TechJuice 25 under 25 list for the year 2016 and got 13th rank in the list of high achievers. 

Reflectiz, a cyber security company, released the list of "Top-21 Cybersecurity Experts You Must Follow on Twitter in 2021" recognizing Rafay Baloch as the top influencer. 

On 23 March 2022, ISPR recognized Rafay Baloch's contribution in the field of Cyber Security with Pride for Pakistan award.

Techjuice has listed him as one of Pakistan's 25 high achievers under 25 years of age. Apart from this rafay is also Author of "Ethical Hacking And Pentesting Book". Rafay’s work has also been featured into many national/international magazines, newspapers and forums. These include websites such as SC magazine, Forbes, Yahoo news, Metasploit, threatpost etc. His research has been accepted at international conferences such CSP, SecureBrasil, Defcamp, Blackhat etc.

Career:

Baloch began his hacking career while he was still doing his bachelor's. He then wrote a book called "Ethical Hacking Penetration Testing Guide". He is the first Pakistani security researcher to be acknowledged by Google, Facebook, PayPal, Apple, Microsoft and many other international organizations.

He has also written several papers on information security, namely "HTML5 Modern Day Attack Vectors", "Web Application Firewall Bypass", and "Bypassing Browser Security Policies For Fun And Profit".

Rafay Baloch is currently serving the Pakistan Telecommunication Authority as Cyber Security Advisor.

Bug Bounty Programs:

Baloch has been active into bug bounty programs and has reported several critical vulnerabilities in several open source web applications as well as in bug bounty programs. Baloch found critical vulnerabilities in PayPal in 2012: he hacked into PayPal servers by exploiting a remote code execution vulnerability. He was rewarded $10,000 and a job offer to work for them as a Security Researcher that he refused as he was still doing his bachelor's at that time. HackRead, a news platform on InfoSec, listed him among “10 Famous Bug Bounty Hunters of All Time”.  Baloch has also been awarded $5000 by Google and Firefox for baring the vulnerability in their browsers.

Browser Security Research:

In 2018, Baloch unveiled a crack in both Safari and Microsoft's Edge browser that paved the way for the URL of a safe website to be shown in the address bar while users were actually being taken to a different, and possibly malicious, website. Rafay Baloch identified the security issue and informed Apple and Microsoft in early June 2018. Microsoft fixed the issue within two months but Apple didn’t respond to Baloch's report despite of the deadline given of 90 days grace period so he made the details public. Rafay Baloch wrote in his article that an address bar can be used to easily breach someone’s privacy without them noticing it. The reason this is possible is because an address bar is the only reliable indicator for security in new browsers, as it displays the site’s URL and other details related to the webpage one is on.

Google No-patch Policy Discovery:

In 2014, after Rafay Baloch and Joe Vennix reported Google about a bug that could allow hackers to dodge the Android Open Source Platform (AOSP) browser’s Same-Origin Policy (SOP), they discovered that Google had already terminated its support for WebView on Android devices running Android 4.3 or older versions, while putting the onus on OEMs and the open source security community to provide patches to users at the same time. Whereas Google’s official stance on WebView for older pre-Android 4.4 devices was as follows: “If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.” Unfortunately, older versions of Android having unpatched WebView bugs were mainly due to their poor upgraded path, leaving users exposed.

Google then released WebView as a stand-alone application that could be updated separately from the Android version of a device. Simply put, the re-architecting of the WebView would benefit the latest versions of Android, Lollipop 5.0 and Marshmallow 6.0.  But this option remains unavailable to anyone on an older version of the operating system.

On Google’s no-patch policy, Baloch shared his views with Zimperium, stating that “Google’s decision to not patch critical security bugs (pre-KitKat) anymore would certainly impact the vast majority of users. Security firms are already seeing attacks in the wild where users are abusing Same Origin Policy (SOP) bypass bug to target Facebook users.”

The Metasploit Framework, owned by Rapid7, contained 11 such WebView exploits that were need to be patched, most of which were contributions from Rafay Baloch and Joe Vennix.

Rafay Baloch Social Tree:

Facebook - Instagram - Twitter - Website