Rafay Baloch

Early Life and Education

Rafay Baloch was born on 5 February 1993 in Karachi, Pakistan. He pursued a bachelor's degree in computer science at Bahria University, and it was during this period that he began his career in ethical hacking and security research.

Career

Baloch started engaging in bug bounty programs while still completing his undergraduate studies. In 2012, he discovered a remote code execution vulnerability in PayPal's servers, successfully demonstrating the exploit. PayPal rewarded him with $10,000 and extended a job offer for a Security Researcher position, which he declined at the time due to his ongoing studies. He has also received a $5,000 award from Google and Firefox for disclosing vulnerabilities in their respective browsers.

In 2014, Baloch was recognized by Checkmarx as one of the world's top five ethical hackers. He is also the author of two books: Ethical Hacking Penetration Testing Guide and Web Hacking Arsenal: A Practical Guide to Modern Web Pentesting.

Security Research

Baloch has been particularly active in identifying browser-level vulnerabilities, with a focus on Same Origin Policy (SOP) bypasses and address bar spoofing flaws.

Android Browser SOP Bypass

One of his most significant findings was a Same Origin Policy bypass in the Android Stock browser, catalogued as CVE-2014-6041. Google initially rejected the report, but later verified it after researchers from Rapid7 confirmed the issue. Researchers at Trend Micro subsequently found the bug to be more widespread than initially understood, and it was later reported that malicious actors had actively exploited Baloch's SOP bypass techniques to compromise Facebook accounts. Rapid7 researcher Joe Vennix further elevated the bug to enable remote code execution. Baloch also identified vulnerabilities in WebView that allowed attackers to read local files and steal cookies from user devices.

Google No-Patch Policy Discovery

In 2014, following Baloch and Vennix's report of the AOSP browser SOP bug, it emerged that Google had ceased developing patches for WebView on devices running Android 4.3 or older, instead placing responsibility on OEMs and the open-source community. This disclosure drew attention to the security risks faced by users of older Android versions, who had limited or no upgrade paths. The Metasploit Framework, maintained by Rapid7, contained 11 WebView exploits requiring patches, the majority of which were contributed by Baloch and Vennix.

Address Bar Spoofing Vulnerabilities

In 2018, Baloch uncovered address bar spoofing vulnerabilities in both Apple Safari and Microsoft Edge, which allowed a malicious website's URL to be masked by that of a legitimate site in the browser's address bar. He notified Apple and Microsoft in early June 2018. Microsoft resolved the issue within two months, while Apple did not respond within the 90-day disclosure deadline, prompting Baloch to make the details public.

In October 2020, Baloch disclosed a broader set of address bar spoofing vulnerabilities affecting Apple Safari, Yandex, Opera Mini, UC Browser, Opera Touch, Bolt Browser, and RITS Browser. The disclosure was coordinated by Rapid7, which set a 60-day patching window. Upon expiration of that period, Baloch released proof-of-concept exploits for the affected browsers.

Baloch also collaborated with another researcher to identify multiple security vulnerabilities in PureVPN's Linux desktop client.

Recognition

On 23 March 2022, Pakistan's Inter-Services Public Relations (ISPR) honored Baloch with the Pride for Pakistan award for his contributions to cybersecurity. In 2021, the Islamabad High Court designated him as an amicus curiae in a case concerning social media regulations. His work has been covered in numerous international publications focused on cybersecurity and digital privacy.