+60173309581
Ibrahim Mohammad Iqbal, a cyber security student from Afghanistan studying at Asia Pacific University of Technology & Innovation (APU), has gained international acclaim for his responsible vulnerability disclosures, including one to NASA — and has reported over 400 security flaws to leading organisations such as Google, TikTok, and the Pentagon.
Ibrahim Mohammad Iqbal, 25, currently in his second year of cyber security studies at APU, has made remarkable strides in the field through his dedication and curiosity. His most notable achievement includes receiving a letter of appreciation from NASA after responsibly disclosing a serious data exposure.
While conducting a routine “Google Dorking” session — a method for identifying exposed data online — Ibrahim discovered a NASA domain unintentionally leaking sensitive internal information, including names, emails, and contact details. He immediately reported the issue through NASA’s Vulnerability Disclosure Programme (VDP), leading to an official commendation.
“That moment meant a lot,” Ibrahim reflected. “But it wasn’t the only one.”
Through platforms such as HackerOne and Bugcrowd, he has responsibly reported over 400 security vulnerabilities. His work has been acknowledged by major tech firms, including Google, TikTok, Dropbox, IBM, and Sony, as well as government bodies like the U.S. Department of Defence and the Dutch Government.
One significant find included a race condition vulnerability in the WordPress plugin ‘Poll Maker’, which allowed vote manipulation. Ibrahim worked with cyber security firm Patchstack to ensure a patch was released (version 5.7.8).
“For me, it doesn’t take a job title to make an impact, just curiosity, responsibility, and the courage to act,” said Ibrahim.
A Look Inside Ibrahim’s Methodology
Ibrahim emphasises the importance of ethical practice in cyber security. “Before testing anything, I always review a programme’s scope and rules to stay compliant,” he said.
To identify the NASA vulnerability, Ibrahim began by using tools like Subfinder to list subdomains under nasa.gov. He then cross-referenced these with Google Dorking techniques using queries such as site:*.nasa.gov to uncover publicly indexed subdomains that automated tools might miss.
“One subdomain caught my eye — it wasn’t in Subfinder, but appeared in Google search results. The page seemed blank at first, but I kept digging.”
Using the Wayback Machine’s CDX API, he accessed archived versions of the site and discovered a URL that loaded sensitive internal staff data — all publicly accessible without authentication.
“This wasn’t about advanced tools — it came down to manual effort, curiosity, and smart filtering.”
Strategic Thinking in Bug Hunting
Ibrahim selects targets based on potential impact and familiarity with the underlying technology. “Understanding how an app functions lets me spot flaws that scanners miss, like logic errors or misconfigurations.”
His workflow combines automation for repetitive tasks with hands-on analysis. Tools help with reconnaissance, but identifying deeper issues — like business logic flaws or race conditions — requires human insight.
“One of the most interesting bugs I found was a logic flaw. It wasn’t technical — just poor handling of user actions. A scanner would never detect that. It’s about understanding how systems are really used — and abused.”
From Classroom Challenge to Real-World Impact
Ibrahim attributes some of his progress to the practical, hands-on approach at APU, particularly in courses like System and Network Administration.
“I remember a friendly bet with my classmates Nor and Osama to find a vulnerability in Red Hat systems we’d studied. What began as a joke ended with a recognised disclosure. That experience showed me how powerful curiosity can be when applied with purpose.”
Balancing Studies and Cyber Security Practice
Managing his academic responsibilities alongside active bug bounty work is no easy task, but Ibrahim credits time management and automation for his success.
He’s built custom tools to continuously scan for specific vulnerabilities, freeing up time to focus on studies or deeper analysis. “I treat bug bounty as an extension of what I learn in class. If we’re studying web architecture, I apply it directly to real-world testing.”
Rather than pushing himself to find vulnerabilities daily, he focuses on consistency. “It’s not about volume — it’s about quality, learning, and staying engaged.”
Looking Ahead: AI and Cyber Security
Ibrahim is particularly interested in how artificial intelligence is reshaping cyber security.
“My long-term goal is to combine ethical hacking with AI to make vulnerability detection smarter and more scalable. I’m exploring areas like adversarial machine learning and AI-based triage systems.”
His upcoming final-year project will focus on the intersection of AI and cyber security, aiming to explore real-world applications and challenges. “AI isn’t just a tool — it’s a frontier. I want to help shape how it’s used responsibly in securing digital systems.”
Mr Shahab Alizadeh, Ibrahim’s mentor and lecturer at APU’s School of Technology (SoT), commended his student’s drive and values: “Ibrahim’s dedication, curiosity, and ethical mindset set a strong example for aspiring cyber security professionals. It’s been a privilege to mentor him, and I’m confident he’ll continue making meaningful contributions to the global cyber security community.”