A hacker in Finland has become the youngest person to receive a reward from Facebook’s bug bounty program — but he’ll have to wait three years before he’s old enough to humblebrag about it on the social media platform.
Ten-year-old Jani, whose last name isn’t being shared at the request of his parents, uncovered a way to delete any given comment on Instagram, the photo-sharing company which Facebook bought for $1 billion in 2012 — and which Jani, so to speak, pwned.
The flaw Jani exposed gave him the power to erase anyone’s comments, even those posted by “Justin Bieber,” he told Iltalehti, the news outlet in Finland that first reported Jani’s exploits. He left Bieber alone, however, tipping off Facebook instead. Facebook says it fixed the flaw in February.
Facebook compensated the young Finn — or, more accurately, his parents on Jani’s behalf — to the tune of $10,000. Jani sets a new hacking record as the youngest bug bounty hunter recognized by Facebook; previously that title belonged to a 13-year-old. (With the loot he scored from Facebook, Jani plans to buy exactly what a 10-year-old with a ten grand windfall would dream of: soccer gear, a new bike and computers for himself and his twin brother.)
This reward puts Jani in the upper tier of hackers Facebook has paid for finding bugs. Since the company launched its bounty program in 2011, Facebook says it has paid out some $4.3 million to over 800 researchers.
Melanie Ensign, a security representative at Facebook, told The Washington Post in a telephone interview early Wednesday that most of those payouts are much smaller amounts. The reported $1,780 average reward skews high, she said, with a cluster of very large payouts obscuring the typical sum.
“We base our bounties on the scope of the risk, rather than the novelty or sophistication,” Ensign said. The flaw that Jani found “would have impacted everybody on Instagram.”
It’s not clear how Jani discovered the vulnerability. Iltalehti reports that Jani and his brother had a habit of watching videos about computer security on YouTube. The bug was an issue with Instagram’s application program interface, or API — how the app communicates with a server. If you want to erase a remark from Instagram, the API checks that you have the authority to delete the comment.
“That checking process wasn’t working properly,” Ensign said. “You’re only supposed to be able to delete comments that you own.”
After Jani told Facebook about his hack, the company created a test Instagram account and posted a comment. All right, Facebook told him, go delete the comment. So he did.
To hear Ensign say it, Jani’s approach was completely ethical — the 10-year-old hacker had neither ulterior motive nor Guy Fawkes mask. He hasn’t even violated Instagram’s terms and conditions, which require that users must be at least 13. (Jani’s hack did not require him to sign in or even create an account.) If he had made an account, Ensign said, he may have forfeited his claim for a reward. In the past, Facebook has denied rewards to hackers who found flaws but committed other violations, perhaps most famously snubbing the Palestinian computer researcher who commandeered Mark Zuckerberg’s personal page.
Jani hopes to parlay his early prowess into a career in computer security, telling Iltalehti that this would be his “unelma-ammatti” — dream job.