Up close and personal with Makman, the hacker behind the recent Gaana.com hack
On 28th May, one of the most widely used music streaming services in India, Gaana, was hacked by a hacker that goes with the moniker Makman. Makman through SQL injection hacked into Gaana.com and exposed a database of more than 12 Million service users. The hacker after hacking into Gaana proudly shared the update on his Facebook profile which was quoted in the news coverage that followed the hack.
The incident was widely covered on local and international media, some people were appreciating the hacker while others were abusing him. In the meanwhile, the update also came in that Makman is from Pakistan and resides in Lahore. So TechJuice decided to get in touch with him to get to know his version of the story. So, we tweeted him for an interview.
Surprisingly, considering the request Makman agreed to meet at a coffee shop in Lahore. There is so much negativity attached to hacking that whenever you imagine a hacker, you somehow think that the person will be scary or very intimidating. Driving towards the coffee shop for the interview, I was getting all sorts of crazy thoughts; Will he show up? How is he gonna look like? Will he be comfortable answering all of my questions?
My imagination was proved wrong when a very decent looking person dressed in black pant and shirt greeted me. Initially confused and paranoid, Mukarram Khalid (Makman) opened up and shared his journey quite frankly.
Mukarram hails from Sialkot. In 2007, he moved to Lahore to pursue Electrical Engineering from the University of Central Punjab. He had an excessive interest in computers, technology and security – which is why he was an exceptional programmer before even starting his engineering. Coincidently, 2007 was also the same year when there was a cyber war going on between Pakistan and India, Mukarram got interested into this stuff and started joining forums, blogs and chatrooms about the hacking.
“If you really know how to make stuff, it’s not very difficult to break it.” said Mukarram sheepishly.
Initially, he and his fellows were not really serious about hacking and took it as a hobby to have ‘fun’ by exposing and exploiting the vulnerabilities on different Indian websites. Mukarram recounted, “When I started, I felt great hacking Indian websites, so I targeted low 3rd grade websites” the sudden realization that hacking and defacing a website is no good and puts the website owner into a miserable position, he decided to identify vulnerabilities in websites and advise them in improving their security.
But, he had his fair share of ‘fun’ before jumping into the bandwagon of “Security Researchers”. Using the same Makman name, he has hacked Zeetv, several university websites, a famous job and video portal in the past. Several websites also had hired him and have been on the receiving end of his expertise.
Usually, Hackers find a loophole and blackmail the website owners into paying them a ‘reward’ which can be a job or money for finding the vulnerability – Mukarram flatly refused to have ever done this with anyone.
“There is a fine line between blackmailing and convincing someone that your website is not secure and you need to take some serious measures for its security. I am the one who believes in convincing and 90% of the time, I have been appreciated and welcomed. While rest of the time, I have been treated very ill.”
While talking about Gaana episode, Mukarram told that it started in January 2015 when he found a vulnerability through blind injection technique on the website and reported to Gaana through feedback form — he never received any acknowledgment. He got interested and spent more time researching the website. After a while, things started to get clear and he got into the website database where he actually had access to 10 million users. “I was literally shocked, the database was so huge, it got me interested.”
Hackers feel very proud in hacking high profile websites; which get massive traffic, have huge database of users and ranks very good on Alexa — Mukarram had found its prey. Gaana had everything which an ideal website to hack should have. “The reason that Times of India was behind Gaana.com made it even more lucrative.”
Long story short, he claimed to have reached out to Gaana team several times but got no response or proper feedback ever. One of the issues of Gaana, he said, was worked on by the team but the solution was very poor thereby, keeping the website prone to attacks. He added that when Adult Finder – an online dating website – was hacked and the whole database of millions was sold on the “Deep Web” at 16 thousand dollars, he couldn’t resist making the hack public to get the attention of relevant people in the company. At 2am, 28th May, Mukarram hacked the website, told a couple of friends and went to his bed. The following morning, the news spread like wildfire and was covered on major news publishing platforms throughout the world with a backlink to his official “Makman” Facebook profile.
Mukarram’s profile was disabled due to Facebook stringent policy of using real names in their profiles. Makman housed regrets in regards to losing all the followers and friends he had received in the aftermath of the Gaana.com hack. But he went on to say, “My motivation was never money, job or any attention. I was thinking in the interest of the website founder. I could have defaced the website, dumped the database or disclosed all the details, but I didn’t do that.” In fact, According to Mukarram, the website might get hacked again because the Gaana team hasn’t properly worked out on ironing out the security issues.
While talking about the consequences of such an action which can lead Indian hackers to take revenge. Mukarram said that he was deeply appreciated by the fellow hackers from India but he got very ‘ill’ response from Pakistanis who abused and degraded him publically. I asked that there could have been some other decent ways to approach the organization than doing a public hack which resulted into such a huge negative attention. Mukarram defended his case by saying that he wasn’t expecting such a huge media attention and he failed to get a reasonable response from the team.
“Long distance relationships and jobs never workout. I will not work for Gaana, the job offer wasn’t really meant to be a real job offer, it was just a gesture publically shown by the Gaana.com’s CEO.”
Mukarram is currently doing a full-time job at a private company where his peers and seniors don’t know that he is “Makman” (which will not be the case anymore). He is also afraid that he might get caught owing to the government websites, he had hacked previously, for the sake of fun. For fellow hackers and aspiring ones, he advised to be patient, persistent and keep reading research articles on the Dark Web, Reddit or mIRC. Although, Mukarram seemed paranoid and he kept looking around in suspicion during the whole interview, still he plans to continue hacking as a security researcher.
Mukarram Khalid pictured below. He believes he is a white-hat hacker and there is no point in hiding the identity now. His image has been shared with his permission and consent.
Update: Email sent by Mukarram to Gaana.com – We have hidden the contacts for privacy.
Conversation with the CEO of Times of Internet.