Mohamed M. Fouad is Independent Security Researcher from Egypt who recently discovered security vulnerabilities in Glassdoor. He has received acknowledgements from many of firms including but not limited to Microsoft,Oracle,Yahoo,eBay,Sony,AT&T,Huawui,Adobe,DropCam, Bitcasa, Get Pocket, Splitwise for his research accomplishments. We shot few questions at him about his recent hacks and he shot us back with his bold answers.
TechStorey : As an independent security researcher you have exposed many security vulnerabilities including jobvite, Booking.com and Glassdoor. What drives you to carry out independent security research?
Mohamed M. Fouad : I’m a software engineer and when I was 13 years old I had passion for software and hacking so I studied computer science and worked as software engineer.
I improved my knowledge in security and participated in security bug bounty programs and got acknowledged by Microsoft,Oracle,Yahoo,Adobe,
eBay,Sony,AT&T, Huawui,DropCam and many more. I reported many security vulnerabilities for facebook and Google.
TechStorey: Prior to publishing your research findings about security vulnerabilities you notify the company about your findings. In case they do not respond you publish the report online. But don’t you think publishing the vulnerability online will expose it to potential hacks?
Mohamed M.Fouad: Yes, It’s true. It can expose companies to potential hacks but in security reports if there’s no reply within 25 days or max one month I can publish it and this way researcher will get their attention more about security risk they didn’t understand . But there’s also positive aspect here as users using this service will be notified about security risk and will be more careful.
TechStorey: You reported SQL injection vulnerability in “jobvite” application. Jobvite did respond to your email. However, you have published the critical information about the vulnarability. At what stage or point you decide to publish your findings?
Mohamed M.Fouad: The person who responded from Jobvite was security consultant. So for sure he understands the risks associated and they just ignored my report and after 4 months they didn’t fix anything. That mean’s they didn’t care about their security and this may impact all users using their service . After 4 months I have the right to publish it to get their attention more seriously and that’s actually what happened. They later changed their website because of my report and fixed it. And if they really care about their reputation and users they must fix vulnerabilities I report immediately as it’s critical.
TechStorey:Based on your experience why do you think companies don’t respond to security vulnerabilities findings? They don’t take security seriously or they don’t like costs associated with overcoming vulnerabilities?
Mohamed M.Fouad : They don’t reply because they don’t have knowledge about security and associated risk. what will happened if attackers exploit these vulnerabilities? Everyday we hear about one of the big company was hacked,that’s why !?!! because they didn’t care about security and the big problem is also that employees working in these companies are not qualified to deal with these types of reports. They should take extensive training about protecting their systems.
TechStorey : Out of all the vulnerabilities you have reported so far, Booking.com issue was the most critical one as it involved credit card information. Do you agree?
Mohamed M.Fouad :No because it was depending on CSRF attack and this attack type is client-side so it depends on user action but server-side vulnerabilities is the most critical like SQLi or RCE etc…
TechStorey : What advice do you give to small companies who cannot afford penetration tests or security consultants?
Mohamed M.Fouad : I advice them to train their employees to be qualified to deal with this kind of risks. Also focus on hiring experienced employees who can tackle security risks and to deal with these types of attacks.