Delhi hacker wins $30,000 reward from Microsoft for finding bug in Azure cloud system

A 20-year-old ethical hacker from the Indian capital of Delhi, has won a reward of $30,000 for spotting a bug in Microsoft's Azure cloud system.

Aditi Singh, who found a similar bug in Facebook just two months back and won a bounty of $7500, said that both companies had a remote code execution (RCE) bug, which is relatively new and is currently not being paid much attention to, reports the India Today.

Through such bugs, hackers can get access to internal systems and the information they hold.

Aditi notes that it is not easy spotting bugs and that ethical hackers have to stay on top of their game about new bugs, so they can report about them and still be eligible for their payouts. She, however, also emphasises on gaining knowledge and learning about ethical hacking first, rather than focussing on just making money.

"Microsoft has only fixed the bug which I spotted two months back. They have not fixed all of them," said Aditi, who was the first one to spot the RCE bug and said that the tech giant took two months to respond as they were checking if anybody had downloaded its insecure version. She suggests that before even starting to find a bug, people should ask the support team of that company ask if they are hosting a bounty program, and if that company confirms about such a program, bounty hunters should go ahead.

Bug bounty hunters are mostly certified cybersecurity professionals or security researchers who crawl the web and scan the systems for bugs or flaws through which hackers can sneak in and alert the companies. If they are successful, they are rewarded with cash.

Talking about the RCE bug spotted in Facebook and Microsoft, Aditi explains that the developers wrote the code directly when they should have the first download a Node Package Manager -- which is a subsidiary of GitHub where anybody can access the codes from these companies as they are open-sourced.

"Developers should write codes only after they have the NPM," she said.

Aditi has been into ethical hacking for the past two years. She first hacked into her neighbour's WiFi password (which she considers a personal feat), and there has been no looking back ever since.

"I took an interest in ethical hacking when I was preparing for NEET, my medical entrance in Kota," Aditi said.

"I didn't get through in medical school but have found bugs in over 40 companies including Facebook, Tiktok, Microsoft, Mozilla, Paytm, Ethereum, HP, among others."

She has also received appreciation letters from Harvard University, Columbia University, Stanford University, University of California and has also been highlighted in the Google hall of fame.

"I was certain I wanted to get into ethical hacking after I reported an OTP bypass bug in TikTok's Forgot Password section and won a bounty of $1100," added Aditi, who is self-taught and notes that anyone who can access Google and Twitter can become an ethical hacker.

"There are multiple resources and Google, Twitter and Hacker One that have write-ups with explanations about ethical hacking," Aditi said.

She further added sthat she was hired for a job after hacking into the company's application.

"They did not ask for my qualification but only saw my skills, and I was hired."

Aditi notes that if people want to get into advanced learning of hacking, then they should know a programming language -- either Python or JavaScript. She also suggests OSCP, which is a certificate course aimed at helping bussing ethical hackers.

When asked where she spends her "bounty", and she said most of it goes into buying hacking tools or spending on certificate courses about hacking.