Facebook Awards $10000 to 10-year-old Boy for Finding Comment-Deleting Exploit on Instagram App

Facebook Awards $10000 to 10-year-old Boy for Finding Comment-Deleting Exploit on Instagram App

Jani, a 10-year-old boy, was just awarded $10,000 by Facebook (NASDAQ: FB) after he was able to find a vulnerability on Instagram that could have been exploited by anyone else.

Facebook awarded Jani under their bug bounty program, which seeks to award security researchers and white-hat hackers for reporting vulnerabilities within their social network or applications. Jani, who was from Finland, became the youngest recipient ever for Facebook's bounty program.

The vulnerability that he discovered was the capability to delete any comment on Instagram. Even if he did not have access to the commenter or the photo owner's account, he was still able to delete comments through a code that he altered from the Instagram servers.

Jani told Finnish publication Iltahlehti that he could have eliminate the comments of anyone on Instagram, including Justin Bieber. He could have deleted the comments of anyone else in the network but he chose to report the bug to Facebook.

While the exploit does not seem too harmful, it could still be used to troll or to harass someone on Instagram. Some people also communicate with their friends on the photo-sharing application through comments and deleting them could be the cause of a misunderstanding.

In order to test out whether Jani's report was true, Facebook told FORBES that they created a test account where the boy was required to delete a comment. Jani was able to do so and he was then awarded.

The bug was already patched up in February when it was first reported to Facebook. In March, Jani was given the $10,000 or 9,043 EUR.

Jani was able to try and alter a code in the private application programming interface of the app. When the code was implemented, the server did not check whether the person who wishes to delete the comment is the one who made it in the first place.

"I tested whether the comments section of Instagram can handle harmful code. Turns out it can’t. I noticed that I can delete other people’s comments from there," Jani said in their native tongue.

Facebook has already given out $4.3 million to over 800 researchers across the globe who found vulnerabilities and exploits on their network and applications. Indian researchers collectively have the most reports for the bug bounty program.

In March, Facebook also awarded product security engineer Anand Prakash $15,000 for finding a bug that allowed virtually anyone to hack into any Facebook account. Prakash was able to do so by conducting brute force password attacks in Facebook's "forgot my password" link.

When a Facebook user clicks on the link, they are taken to another page where they must enter the passcode that is sent to the account owner's email. When someone tries too many times to guess someone's password, they are locked out of the account.

However, the passcode for resetting the password on a Facebook account does not have the same security features. Prakash was able to reset other people's Facebook passwords by repeatedly guessing the correct reset passcode through brute force programs.

If it was not reported, other hackers could have used the same method that he tried. There might even be hackers who are already compromising accounts even before the bug was reported and patched up.

Unlike Jani, Prakash is already 23 years old. He has already found several bugs on Facebook and also took the third spot for finding the most bugs in the programme in 2014.

In another separate case, Facebook also awarded $10,00 to another bug bounty hunter who discovered that were other hackers that already managed to breach Facebook's internal network several months ago. The hackers or group of hackers who had access to the networks could have downloaded a list of employee usernames and passwords even without alerting Facebook itself.

The researcher said that the hacker had created a proxy on the login page for Facebook employees. Whenever someone logged in to their account, the details were stored in plain text in a directory that the hackers could have collected.

Once the hackers had the login credentials of the employees, they could also use them to access more restricted parts of the network. They could even stumble upon the login credentials of the billions of Facebook users across the globe.

With Jani's impressive feat and determination, the boy could grow up to be a good white-hat hacker in the future. He even said that he dreams of being a security researcher because "security" is important.

How did Jani manage to learn how to search for bugs and exploits? Facebook CEO Mark Zuckerberg did not even start to learn how to program until the young age of 11 years old when he got a tutor, according to The Guardian.

Jani said that he learned through the Internet. He and his twin brother usually watch YouTube videos on how to hack or how to program.

It is true that YouTube is home to a million "how to" videos and tutorials on almost any subject imaginable. Someone could search how to start a garden or how to draw a portrait. There are even tutorials on how to make smoke bombs from household items.

At such a young age, Jani still has a lot of potential and more room for improving in his chosen field. He said that he would spend the $10,000 by buying a football and a new bicycle.

Jani's classmates were all surprised to learn that he was awarded a large amount by Facebook. Even his father named Marko was astonished to know that his son already has impressive skills that some people spend years on practicing before they get a decent payout.

Marko said that the "social media gibberish" is all "greek" to him. Jani was also helped by his twin brother in searching for security holes and they have been doing so for quite some time now. They had discovered a small few but they have not been paid because they were often minor bugs.

Article Source: TriNesty.





Scroll to Top