Lindsay France/University Photography

Physics major Eyvind Niklasson '17 has been honored by both Google and Facebook for his help reporting vulnerabilities in their systems.

If you’re worried about whether your website is secure, let freshman Eyvind Niklasson see if he can find a way in.

The physics major from Stockholm, Sweden, has made both Google and Facebook’s lists of helpful “pentesters,” users who have reported vulnerabilities in their systems.

Pentesters are a kinder, gentler form of hackers. They enjoy uncovering secret ways into areas of websites that should remain hidden, but they don’t do it for malicious reasons.

“I know there are plenty of people who engage in the illegal side and make a lot of money,” he said. “But that’s never been tempting for me. It’s just great fun.”

Niklasson has been having such fun since he started taking apart computers at age 8 and his mom hooked him onto “Scratch,” a visual language to introduce children to programming.

“I think my programming interest really comes from a general interest in understanding the world,” Niklasson said. “I always pestered my parents (both pediatricians who now work for the European Union) with all sorts of questions about medicine or why the sky is blue.”

By middle school, Niklasson had evolved his skills enough to extract an administrative password from a school computer. Although he caught the attention of the principal, he didn’t actually do anything with the password.

In high school, he formed a team of students from the U.S., Europe and Australian to enter “Capture the Flag” competitions, university-hosted programs with a hidden string of code – the “flag.” Contestants try to break into the program, find the code and submit it.

Dhrubaditya Mitra, assistant professor in theoretical physics at the Nordic Institute for Theoretical Physics in Stockholm, worked with Niklasson during a summer research program for promising young scientists. He said Niklasson has the two most important qualities needed in a good scientist – inquisitiveness and the ability to work on a problem endlessly without tiring. “Eyvind had these two qualities in huge amounts,” he said. “It was clear from our discussions that he thinks deeply.”

“I was always somewhat successful,” he said, especially since his group was competing against university computer science majors. By that time, Niklasson had taught himself PHP, Python and ASP, the three most common programming languages.

“When you’ve learned these languages and tried them yourself, you begin to see where things could have been badly implemented or exploited,” he said.

Ironically, some of the larger websites are most vulnerable, he said, because they have so many decade-old pages that have never been updated. Or they have implementation flaws related to logins or administrator privileges.

Most of these companies are very happy to have people like Niklasson point out their weaknesses.

The Google PR team wouldn’t comment on Niklasson specifically but pointed to the company’s website, which includes an elaborate explanation of its “close relationship with the security research community.” Google offers rewards of up to $20,000 for finding bugs related to code, and both Google and Facebook laud the top reporters in special pages on their sites.

Despite being recruited by several companies to join them as a pentester, Niklasson is focusing on physics at Cornell. He knew he was in the right place once he stepped into Rockefeller Hall and saw a plaque that said the Physical Review was founded here in 1893. “That’s the biggest journal there is,” he said.

“In physics, you use small clues to try to understand what’s going on behind the scenes,” he said. “It’s very similar to pentesting.”

Kathy Hovis is a writer for the College of Arts and Sciences.