17-year-old Bangladeshi hacks NASA; receives appreciation letter

Md Shariar Shanaz Shuvon, a 17-year-old self-taught ethical hacker from Bangladesh, has discovered a critical security flaw in NASA's cybersecurity infrastructure. The US space agency acknowledged his findings with an official letter of appreciation.

Born and raised in Jhenaigati, Sherpur, Shuvon passed his SSC from Jhinaigati Govt Model Pilot High School. He then enrolled at Malaysia's University of Cyberjaya, where he is currently pursuing a diploma in Information Technology. Alongside his studies, he works as an Information Security Analyst at ERTH (Blue Bee Technologies Sdn. Bhd.), a technology solutions provider specialising in cybersecurity services.

Shuvon's journey into cybersecurity began in Class 7 when he first started learning programming. "I explored free courses, YouTube tutorials, books, and PDFs," Shovon recalls. By Class 8, he was deep into cybersecurity, bug hunting, and hackathons. "I worked in different tech sectors, like SEO, graphic design, and video editing. But cybersecurity is my true passion," he shares.

On June 11, 2024, Shuvon uncovered a privacy-related bug in NASA's system. He explains his process of finding the NASA bug: "First, I studied recent vulnerabilities that others had found and tested them, but none worked. Then, I combined several vulnerabilities and tried an IDOR (Insecure Direct Object Reference) technique with SSRF (Server-Side Request Forgery)."

He further explains, "By chaining these together, I discovered a bug that gave me access to Earth data containing personal information. With this access, someone could have done phishing attacks, sold the data, or used it unethically. I reported it to NASA, and they fixed it."

He adds, "Before finding NASA's vulnerability, I researched many public reports about bugs. I practised with those methods but couldn't use them properly at first. Eventually, I found NASA's domain where their Earth data was stored, which led to the discovery." 

He responsibly reported the system flaw through the Vulnerability Disclosure Policy (VDP), which is a program by NASA that allows security researchers to legally report system vulnerabilities. By February 2025, NASA acknowledged his contribution with an official appreciation letter, recognising him as an independent security researcher who adhered to ethical guidelines.

But NASA wasn't his only high-profile success. Shuvon has also found vulnerabilities in major companies like Sony and Meta. At Sony, he discovered an 'IDOR (Insecure Direct Object Reference) bug' that allowed self-access to unauthorised data, while at Meta, he identified a privacy flaw where hidden reactions in profiles could still be viewed through code manipulation. "I mainly focus on two types of bugs - IDOR and information disclosure bugs. These are my specialities," he explains.

Shuvon also achieved the top 1 global rank on TryHackMe, a leading online platform for cybersecurity training and penetration testing challenges, hosting over 2 million users worldwide.

When asked about his technical approach to bug-finding, Shuvon explained that he commonly uses tools like Burp Suite, Nuclei, Google Dorks, and platforms such as HackerOne and Bugcrowd to find vulnerable systems. "Tools help, but success comes from a hacker's mindset - thinking logically and spotting what others miss," he adds.

Despite global opportunities, Shuvon dreams of contributing to Bangladesh's cybersecurity landscape. According to him, most organisations in Bangladesh don't take digital threats seriously, and there is no proper bug reporting system; as such, he feels that companies need to recruit qualified personnel to read bugs and submit them using a bug reporter.

Shuvon shares, "I want to spread awareness in Bangladesh of the damage bugs can cause. I also want to help develop a bug reporting system for major tech-dependent companies."

His long-term goals are bigger. "I want to keep learning, help others, and maybe build tools or a company someday," he reveals. "Bug hunting is just the beginning."