Ibrahim Mohammad Iqbal, a cyber security student from Afghanistan at Asia Pacific University of Technology & Innovation (APU), has turned his passion into impactful contributions, earning acknowledgements from NASA and reporting over 400 vulnerabilities to major organisations like Google, TikTok to Pentagon. 

Image

Over the past few years, Ibrahim Mohammad Iqbal, a bright and driven year two cyber security student at Asia Pacific University of Technology & Innovation (APU) hailing from Afghanistan, has remarkably transformed his deep-seated passion for cyber security into significant contributions impacting major organisations across the globe.

One of his most notable achievements to date was receiving official commendation from none other than the ‘National Aeronautics and Space Administration (NASA)’. 

During a routine Google Dorking exercise — a technique he employs to uncover publicly exposed data — Ibrahim stumbled upon a NASA domain inadvertently leaking sensitive internal staff information. 

This included a trove of emails, names, telephone numbers, and addresses, all worryingly accessible without any form of authentication.

Demonstrating commendable responsibility, Ibrahim promptly reported his discovery through NASA’s Vulnerability Disclosure Programme (VDP). 

In recognition of the value of his findings, NASA issued him a signed letter of acknowledgement.

“That moment meant a lot,” Ibrahim recalls, “but it was not the only one.” Through responsible disclosure platforms like HackerOne and Bugcrowd, this diligent student has reported an astounding tally of over 400 vulnerabilities. 

The impressive list of organisations that have formally recognised his invaluable work includes tech giants like Google, TikTok, Dropbox, IBM, Yahoo, and Sony, alongside industry leaders such as Red Hat, Square, FIS, Line, InDrive, and even governmental bodies like the U.S. Department of Defence and the Dutch Government.

His keen eye for detail also led to the discovery and responsible disclosure of a race condition vulnerability within the widely used WordPress plugin ‘Poll Maker’, allowed unauthorised users to cast multiple votes. 

Following Ibrahim’s coordinated efforts with Patchstack, the vulnerability was promptly addressed, and a patch was released in version 5.7.8.

For him, “It does not take a title or a job to make a difference, just curiosity, responsibility, and the courage to act when others overlook.”

NASA discovery: Ibrahim’s methodical approach

When asked to detail the precise steps he took to uncover the NASA vulnerability, Ibrahim provided a fascinating insight into his methodology.

“Before starting any testing,” Ibrahim explains, “I carefully reviewed the scope and rules of NASA’s Vulnerability Disclosure Programme to ensure I stayed within the allowed boundaries.”

His initial step involved exhaustive subdomain enumeration where he began by collecting as many subdomains as possible using tools like Subfinder, which generated a long list of subdomains like example.nasa.gov, test.nasa.gov, and many others. 

To refine his search, Ibrahim employed a clever cross-referencing technique using Google Dorking to narrow it down, cross-checked the results and used queries like site:*.nasa.gov to identify indexed subdomains. 

Then, he filtered out the ones he had already found in Subfinder results using site:example.nasa.gov. 

This helped him discover subdomains that were publicly indexed by Google but had not been detected by automated tools, which often means they are overlooked and potentially more vulnerable.

“After almost a week of filtering and analysing, one subdomain caught my attention. It was not in my Subfinder results but showed up in Google. When I visited it, the page seemed empty at first, but I was curious to dig deeper.”

His curiosity led him to explore historical data where he used the Wayback Machine’s CDX API to check its historical content and retrieved a list of archived URLs for the subdomain. 

One of those URLs included a year parameter with a 2026 value. He started testing different values and changing it from 2026 to 2025, and noticed that the page became unresponsive, which indicated a large amount of data was loading in the background.

His persistence paid off. The page loaded and exposed sensitive internal staff data like full names, email addresses, phone numbers, and addresses, all publicly visible without any login or access control.

“Once I confirmed the issue, I documented everything and submitted a detailed report through NASA’s official VDP platform, following proper responsible disclosure steps.

“This discovery did not rely on advanced tools; it was mostly manual reconnaissance, smart filtering, the use of open tools like Google and the Wayback Machine, and a lot of patience.”

Ibrahim’s prioritisation and workflow

With an impressive record of over 400 reported vulnerabilities, Ibrahim sheds light on his strategic approach to prioritisation and management.

“I usually start by selecting targets based on two main factors: the potential impact of a vulnerability and the realistic chance of finding something meaningful,” he explains.

“I focus on platforms and programmes where I have a strong knowledge of the technologies being used, which allows me to spot logic flaws or misconfigurations that automated scanners might miss.”

Before diving into any testing, he takes time to study the programme scope and documentation carefully and to manage such a high volume of findings, he relies on a mix of automation and manual testing. 

For example, he used tools to handle basic reconnaissance like collecting subdomains or crawling endpoints, but he always manually analysed the behaviour of the application to look for deeper, non-obvious issues such as business logic flaws, race conditions, or misconfigured access controls.

“One type of vulnerability that stands out to me and that I almost overlooked at first was a business logic flaw that did not rely on any technical exploit but rather on how the application handled specific user actions. 

“It was not something a scanner would ever catch. It came down to thinking outside the box and understanding how a real hacker might abuse normal functionality in an unexpected way.”

For him, what made this interesting is that it was not about exploiting deep technical complexity; it was about knowing where to look, thinking like a real attacker, and testing timing-based behaviour in features many assume are safe.

Ibrahim recounts a compelling example of how his innate curiosity, sparked during a university module, led to an unexpected yet significant cyber security finding.

“One moment that really captures how curiosity can lead to unexpected discoveries happened during a System and Network Administration class with one of my favourite lecturers, Mr Shahab Alizadeh,” Ibrahim shares.

“Throughout the course, we worked hands-on with Red Hat systems, setting up services, managing permissions, and configuring security settings. That exposure sparked my curiosity; I started wondering how secure these systems really are, especially in real-world deployments. 

“At the end of the class, my friends Nor and Osama, who were just getting into cyber security, jokingly challenged me to see who could find a vulnerability in Red Hat first. It started as a fun, friendly bet, but I took it seriously.”

Reflecting on this experience, Ibrahim concludes, “What began as a casual classroom challenge and a bit of curiosity ended up becoming a recognised vulnerability disclosure. 

“That experience reminded me how the smallest spark — even just a lecture or a friendly bet — can lead to something impactful when approached with the right mindset.”

Balancing academia and bug bounties

As a dedicated cyber security student actively engaged in extensive bug bounty work, Ibrahim shares his strategies for managing his time and continuing to acquire new skills.

“Balancing university studies with bug bounty work can be challenging, but over time, I have developed a system that allows me to stay productive in both,” Ibrahim explains.

One of the biggest things that helps him is automation. He built his own custom tools and scripts that run continuously in the background, scanning for specific types of vulnerabilities, and monitoring public assets. 

These tools keep working even when he focused on assignments or in class, which helps him stay efficient without burning out.

“I also treat bug bounty as an extension of what I learn in class. For example, if we are studying system security or web architecture, I immediately try to apply that knowledge in real-world testing. This not only helps reinforce the theory but also keeps me engaged and motivated.”

Ibrahim usually schedule his week in a way that separates academic responsibilities from research and bug hunting, and he do not push himself to find vulnerabilities every day; instead, he focused on building consistency and momentum over time.

“I believe artificial intelligence (AI) will shape the future of both offense and defense in cyber security. My long-term goal is to combine my experience in ethical hacking with AI technologies to create smarter, faster, and more scalable ways to detect and prevent vulnerabilities.”

He also particularly interested in areas like adversarial machine learning, model poisoning, and using AI to automate vulnerability triage and exploit detection where he already started experimenting with small projects that integrate AI into bug bounty workflows, and hope to take that further in the coming years.

“AI is not just a tool; it is a new frontier in security. And I want to be part of shaping how we use it responsibly and effectively in protecting systems.

“In fact, I am planning to focus my final year project on this exact intersection between cybersecurity and AI, to explore its real-world applications and challenges in more depth.”