Pune, India — probably awake

Ritik Arorahi.

I break software — professionally.

I find vulnerabilities in software people actually use, build things that are harder to break, and produce music for the hours in between. Ten-plus disclosures, one patent, one Best Paper, and a healthy suspicion of anything that parses input.

  • 0vulns disclosed
  • 0patent published
  • 0CTF podiums
  • Best PaperICCDM ’26 · Springer
01

About

I read the terms of service. Mostly for the XSS.

I'm a security researcher and developer from Pune. The short version: I've responsibly disclosed more than ten vulnerabilities across Nothing OS, Trust Wallet, Phantom, QuickHeal, and Meta — including auth-bypass and RCE-class issues. The kind of bugs where the vendor reply starts with "thank you for the detailed report" and ends with a patch note that carefully avoids saying what happened.

The longer version: I got here by taking apps apart to see why they worked, and staying because sometimes they didn't. These days that means reverse-engineering Android internals with Ghidra and Frida, poking at wallet DApp browsers, and occasionally discovering that a billion-dollar app will crash if you look at a Story the wrong way.

I also build things on purpose. A patented telemetry system for a Formula Student EV. An AI-driven vulnerability scanner that won Best Paper at ICCDM-2026 (Springer). A post-quantum messenger for people whose threat model includes futures that don't exist yet. Breaking software teaches you exactly where builders get lazy — I try to use that knowledge for good, or at least for interesting.

And when the code compiles on the first try — statistically rare, emotionally significant — I produce music. Electronic, mostly. It's on Spotify, and there's a player floating around this page if you'd rather not leave.

The toolkit

Languages

  • C++
  • Python
  • Java
  • Kotlin
  • Dart
  • JavaScript
  • TypeScript
  • SQL

Frameworks & platforms

  • Flutter
  • Android SDK
  • Node.js
  • Firebase
  • PyQt
  • Google Cloud

Security

  • Burp Suite
  • Ghidra
  • Frida
  • Wireshark

Elsewhere

  • Git
  • Docker
  • MQTT
  • OpenGL
  • REST

Proficiency varies with caffeine. There's also a Konami code on this page, if you're the type.

02

Selected work

Four projects, written up properly — what they are, why they exist, and what building them actually involved.

Crakrr

Best Paper — ICCDM 2026 (Springer)
2025

Most web vulnerability scanners are either dumb — spraying payloads and pattern-matching responses — or they need an expert driving. Crakrr is an attempt at a third option: a scanner that reasons about a target the way a human tester does.

It orchestrates Gemini and Claude models through a universal MCP server, letting AI agents crawl an application, form hypotheses about where XSS and SQLi might live, and then verify actual exploitability with Selenium-driven payloads instead of guessing from response strings. The MCP layer means any model that speaks the protocol can be swapped in as the brain.

The paper behind it won Best Paper at ICCDM-2026. The desktop client also has a custom OpenGL interface with hand-written shaders and physics-based animation, which the scanner absolutely did not need. It has them anyway.

Real-Time EV Telemetry

Patent no. 200342064
2025

A Formula Student EV generates a firehose of data and, historically, no good way to see any of it while the car is moving. We co-invented and patented a modular data-acquisition system to fix that.

The hardware is a custom PCB built around a Teensy 4.1, sampling the IMU, CAN bus, and analog sensors at 100Hz and streaming over MQTT. On the receiving end, a PyQt ground station renders live motor phasors (Id/Iq) and computes torque ripple in real time — so the drivetrain team can watch the motor mis-behave as it misbehaves, instead of reconstructing it from logs in the paddock afterwards.

It's the project where embedded C, network protocols, and desktop GUI work all had to hold hands. The patent office agreed it was novel, which was nice of them.

Shushhh

Open source · MIT
Ongoing

A quantum-safe, anonymous, terminal-based messenger — for people whose threat model includes adversaries that don't exist yet. "Just use Signal" is good advice. This is for when it isn't paranoid enough.

Key exchange is hybrid X25519 + ML-KEM-768, so breaking it requires beating both classical and post-quantum assumptions. Messages are sealed with ChaCha20-Poly1305 and routed over Tor. On exit, it wipes its own memory following DoD 5220.22-M — the messenger equivalent of eating the note.

Written in C++17, open-sourced under MIT. Building it meant learning exactly how many places sensitive bytes hide in a running process. The answer is: more.

NoiseNet

Adversarial ML defense
2025

Deepfake generators need clean source images. NoiseNet makes yours quietly poisonous: a defensive perturbation system that embeds adversarial noise into photos so that generation models choke on them, while humans see nothing wrong.

The perturbations live in DCT mid-frequencies — high enough to survive compression, low enough to stay invisible — and are hardened with Expectation-over-Transformation so they survive the crops, resizes, and re-encodes that images suffer in the wild.

Training runs on a parallel GPU + Intel NPU pipeline with asynchronous evaluation, which meaningfully accelerated convergence. Fighting AI with AI, with a straight face.

03

Security research

Things I found that weren't supposed to be found. All responsibly disclosed, all fixed.

My process is unglamorous: pick a target people actually depend on, map how data moves through it, and get suspicious wherever trust changes hands — IPC boundaries, embedded browsers, parsers. Form a hypothesis, build a proof of concept, then write the report I'd want to receive. The 3 AM part is optional but traditional.

CriticalAuth bypass

Nothing OS

JWT theft via Binder IPC — a malicious app on the device could pull authentication tokens across the inter-process boundary. The token thought it was safe. It was not.

CriticalUniversal XSS

Trust Wallet

Arbitrary JavaScript execution in the DApp browser context of a crypto wallet — which is a very bad place for someone else's JavaScript to be running.

HighDenial of service

Meta — Instagram

A crafted Stories payload that reliably crashed Instagram on iOS. One Story, one crash, every time. Triaged and fixed by Meta.

HighDisclosed

Phantom

Security flaw in the wallet, reported through their responsible disclosure program. Details stay vague on purpose — that's how disclosure works.

HighMultiple

QuickHeal

Multiple issues in security software, coordinated and disclosed. Finding bugs in antivirus products is a specific kind of irony I enjoy.

10+ total disclosures. Every one reported privately, verified by the vendor, and patched before a word of it appeared here. I break things so they get fixed — it's called job security.

CTF record

  • Finalist
    Pentathon 2025NCIIPC — national finals
  • 3rd
    Shaastra CTFIIT Madras
  • 4th
    H7CTFGlobal leaderboard

Flags captured under time pressure, dignity occasionally not.

04

Music

When the terminal is compiling, the DAW is open. Press play — everything here streams right on this page.

05

Say hi

Hiring for security or engineering? Found a typo? Want to argue about tabs versus spaces? All valid reasons.

me@ritikarora.com

Response time: faster than most bug bounty triage queues. Low bar, admittedly.