From Microsoft “Build the Shield” to Microsoft “Hall of Fame”
This post is going to be about how I got started in hacking (thanks to Microsoft) and with time, how I was able to help them back by reporting some security vulnerabilities in their web applications.
The story started in my second year. I was a complete newbie — looking up tutorials on YouTube and calling myself a hacker. Hell, I couldn’t even dual boot a PC properly. Back in school, I wasn’t very good with computers. Maybe it was because of the curriculum or the intensive JEE coaching, but I never really had any motivation to explore programming. Things changed when I joined IIT and got my own laptop. My curiosity, eagerness to explore and my very talented friends sure took me a long way.
Back to the story, it all started when I saw a notice board in the college campus. Three words caught my attention: hacking contest, Microsoft and goodies. Needless to say, these were sufficient to get the second year me excited. It was a group event, so I teamed up with two of my close friends. The rules were thus: a 24-hour preliminary round followed by the top 50 teams battling it out in the finale at the Microsoft Hyderabad campus. The glitch here was that only three teams per college could qualify.
I don’t recall how, but we ended up being ranked 42. But what broke my heart was that there were already 3 teams from IIT Guwahati above us. My hopes were dashed — all this while I had considered myself to be a hacker, but my team couldn’t even make it to the finals. We did solve some web-based challenges but the Reverse-engineering challenges had us stumped.
I took this to heart.
Somewhere deep down, it hurt my ego. That was the moment I realized that whatever I was doing was nowhere near enough. Also because of the Build The Shield event I got introduced to CTFs — Capture the Flag contests. We still remember the adrenaline rush we got by participating in the event and couldn’t wait to get another dose of it.
After the contest ended, we participated in random CTF contests and also started reading related write-ups . This taught us a ton of new stuff and slowly, we started getting better at solving the challenges. All the while we only had one thing in mind — to do better in next year’s Build The Shield.
Fast-forward one year.
So the moment came again in my 3rd year. I formed a team with my friends Midhul Varma, Nikhil Alamanda and Venkat Arun. This time it was quite a different story. We called our team CerealKillers. Don’t ask how we came up with it, but the name has stuck on ever since. The screenshot of the leader-board below was taken just 1 hour into the contest — we were at the top. Midhul and I decided to take a hint for a silly question which deducted 50 points for us and landed us at the 6th position.
All the teams above us had a similar score by the last minute.
Our hard work paid off and we qualified to the finals. The whole experience in Hyderabad was a blast. There were so many goodies to win and so many interesting people to interact with and learn from. The CTF was easily the best experience I had in my student life. The people at Microsoft know very well how to host undergrads and organize a grand event.
I got to meet the other awesome teams from IIT Roorkee, IIIT Delhi, IIT Kanpur, IIT Bombay etc. Until then I had no clue that so many talented people from other IITs were interested in cyber security. Though we didn’t win the finals, we were satisfied with the whole experience.
Now coming to the Hall of Fame part
After few months I was participating in another Microsoft event in campus called Code.Fun.Do — This is a Microsoft-organised Hackathon which happens every year in most of the famous colleges in India. We were building something using Bing Maps and while going through the website I noticed that the website is leaking all the API keys for Bing Maps Portal. This was a serious issue. I am not a Bug Bounty hunter, but I was able to notice the vulnerability because of the preparation I did for the Build The Shield event. I immediately reported it to the Microsoft Bug Bounty Program.
Soon it was fixed and they added my name to their Hall Of Fame page as an appreciation.
Leaking API keys in Bing Maps Portal
Since I promised to write about how I got listed in Microsoft Hall Of Fame. Here it is at last.
After that, I found 6 more vulnerabilities in Microsoft websites and ended up in their Hall Of Fame 3 times. Turns out, I got really good at finding bugs. To me, this felt just like another always-ongoing CTF contest.
Broken Access Control in Bing Maps Portal
You can manage your Bing maps API keys in binmapsportal and while updating the name of an application something caught my eye.
Click Jacking in Bing Maps Portal
This was a rather simple vulnerability but can be dangerous if used correctly.
So the sole reason I was able to report vulnerabilities to Microsoft is because I got introduced to hacking and CTFs because of Microsoft Build The Shield.
For some reason, Microsoft stopped organizing this event from the next year. It had motivated a lot of my juniors as well, to explore the field of cyber security, besides acting as a stepping stone for people like me.
It was easily the best CTF competition in India at that time organised at that scale.
I wish Microsoft would understand that all the resources spent on events like that do not go to waste — they indeed inspire a lot of people. I talked to other students who came to the finals and their stories were equally fascinating. Build The Shield played a significant role in making them interested in the Cyber Security domain.
As for the other CerealKillers, one of them is working in Microsoft Research, another is in Amazon, while the third is pursuing a PHD in Computer Science from MIT.
I am still in contact with some people from other colleges and they too are in really good places like pursuing a PHD from CMU, working for Facebook, Google or Microsoft. I on the other hand decided to start my own cyber security start-up and currently working on it. This is really awesome, considering these people have a fair amount of security knowledge and they will keep that in mind while they are working on anything.
We also happened to meet a Tollywood movie star— Nagachaitanya
It was around that time when I noticed the security scenario in India is deplorable. To encourage responsible disclosures I also helped in starting the IIT Guwahati Bug Bounty Program
How IIT Guwahati started its own Bug Bounty Program
This post is my perspective on how IIT Guwahati became the first educational institute in India to start its own bug…
We still have a long way ahead of us. But I seriously want to thank the Microsoft team responsible for the CTF event. For all the would-be CTF-enthusiasts out there, I only wish they would start it again.
If you really read until this point I will tell you a little secret, you can leave 50 claps in Medium 😃 So don’t hesitate.