Not a long time ago, Gowtham Ponanna wrote an article on a critical vulnerability which allowed him to take over any user-account without any user-interaction and can lead to a huge loss of funds and companies’ reputation. The CVSS score of this report was 10.
We asked Gowtham Ponanna a few questions. We talked about his first experience in hacking, his bug bounty journey, and a few other topics.
Can you tell us a little bit about yourself?
Yeah, For sure, I’m Gowtham Naidu Ponnana, an 18-year-old Security Researcher based out of India. Specifically, from the south part of India, a Telugu-speaking guy 🙂. Currently working as Head of Security for a Cryptocurrency Exchange named “Cryptoforce”. I’ve started my career in “Cybersecurity” back in my 8th grade, at the age of 13, and ended up being in the 29th place on Hackenproof and top 150 on Immunefi.
Note – Don’t try to find bugs! But if you didn’t listen to me and still tried, do report to me at “[email protected]”.
What got you into hacking? Do you remember the first vulnerability that you discovered? Where was it?
Umm, How I got into hacking? That’s a great question and there is a story behind it, and more specifically a game: Clash of Clans. My brother and I used to play that game very often and we were pros at that time but due to some incident, I had given my Gmail account, which was connected to the game, to one of my old friends and he ended up changing my password and every recovery. And that’s the first step where I thought of getting back my account (Because I’m afraid of my brother 🙂) And that’s how I ended up here.
And the first vulnerability was indeed “Social Engineering” for me where I hacked into my friends’ accounts and the school principal’s account by a phishing attack back in my 8th grade. The first web vulnerability is “Account Takeover” of my college, the most popular in India. It was back in my 11th grade.
What’s the most appealing thing about hacking to you, personally?
I guess I’ve felt that only about 3 times during my career so far.
- When I hacked into my college and got data about 70M+ accounts and their bank details and stuff.
- When I got my first bounty.
- Recently, when I got ATO on the crypto-exchange, I hope you read the blog. And for me, it’s all about making the world a secure place, as I mention too often during conversations. And for me, Hacking is purely understanding the technology and flow and going against the rules.
How did you get into web3 hacking? What difficulties did you encounter in comparison with web2 hacking?
I remember this… I heard about bitcoin when I’m just getting started in Websec, but didn’t understand the technology back then. But I’ve got to understand the huge bounties after pwning.eth got a whopping bounty of $1M. And it made me dig deeper. And you know, the technology is interesting and it’s great to see those hashes in front of your eyes. So that’s how I started eventually.
Coming to the difficulties, when I started there were no good resources to start and guide… but now there are tons. Anything between these two is dangerous. When you got nothing, you’ll struggle. When you have everything in abundance, you’ll get confused and you’re stuck.
What types of bugs do you like to hunt? What are your favorite hacks in your career so far?
If you’ve gone through the recent blog on Hackenproof, You’re pretty sure that I’m mostly into Authentication Vulnerabilities. I’m always a guy who loves to dig deep into authentication management and tries to exploit the system in all possible ways that exist. To be clear, I’m a guy who is interested in testing Server-Side vulnerabilities as compared to client-side such as XSS.
Coming to favorite hacks so far, ummm I would definitely rate the recent issue that I found in a top exchange as my top hack, followed by the smart-contract bug that I found in Immunefi. And this is back in my mind, “Hacking into my professor’s account” is also fun (Don’t do it).
What is the most creative attack you have been able to successfully execute? Any cool stories or lessons learned that you can share?
I would rate the recent bug that I discovered as also the most creative because you need to understand the general flow, and you need to assume how the backend code would validate the stuff. After that, the race-condition bug that I found in Illuvium on Immunefi is also the most creative one, as I need to include 3 vulnerabilities in order to show the high impact.
As I’ve said, we’ll always learn something out of every vulnerability. After these 2 incidents, I understood that “It doesn’t matter if the company pays huge bounties or fewer bounties, It’s the matter of user funds that are at risk.” I’m happy to say that I’ll be working to make these companies as secure as possible from my end. And what I could recommend is, “Don’t follow the money, follow your passion and money automatically follows you…”
Do you have any hacker mentors? Are there any guys you follow and read their posts?
Yes, I’m glad that I got a mentor at an early age. When I started, I was alone. But over the years, I always used to mess up the things and the path sucked! My first mentor is always @https://twitter.com/nullshock1 More than a mentor, he is a brother to me. He helped me in all ways possible. So as I said in many posts, he’ll always be my mentor.
Coming to the next question, There are no specific people I follow for security stuff because the infosec domain is so huge that you’ll find so many pros. But I usually read at least 2 security blogs a day to keep myself updated. What I would recommend others is to simply follow some big people on Twitter and you’ll automatically learn something new.
What do you do in your free time when you’re not hacking?
Apart from Hacking, I’m a sports-lover. I play cricket and other games. I usually talk to a lot of random people just to increase my communication skills. As part of my habit, I read books more often when I’m not doing hacking stuff. Also to note, I eat a lot.
What advice would you give other hackers just starting out?
My advice differs from people to people.
- But in general, if you’re starting into infosec, I would say “Look for a mentor, stick with him and his suggestions, learn stuff and share your learning with others.” this is the most common thing I would say.
- If you’re someone who is getting into Bug-bounties, I would say “Leave everything, Master one specific area and vulnerability and you’ll find a special place in the community.”
- Finally, for someone getting into web3 sec, I would say “You’ll get frustrated, you’ll lose yourself, and you’ll find yourself at the lowest but never give up. If not today, tomorrow you’ll find your first bug.” I’m not a pro either, but I’m not someone who is going to leave this arena. I’m here to stick and to rule.