Facebook awarded a ten year old boy from Finland $10,000 for uncovering and exploiting a particular bug at their social media site, Instagram. Facebook purchased Instagram for $1 billion in 2012 and since then has what they refer to as a glitch or bug bounty program.
Young Jani, whose last name is not being released for privacy concerns, has become Facebook’s youngest hacker bounty hunter. The previous youngest was 13 years old. The Finnish press first reported that Jani had figured out a way to delete comments, from anyone, on Instagram. He even bragged that he could erase any comments made by Justin Bieber if he wanted to. While Bieber’s account seems safe for now, the story in the Finnish press immediately alerted the folks at Facebook.
Facebook reported that it had fixed the flaw soon after, in February, and agreed to give Jani’s parents $10,000 to hold for him. Jani has said that he plans on spending the money on a new bicycle, some new computers for him and his brother and some new soccer equipment.
Jani finds himself in rather elite company. Facebook has paid over 800 “researchers” $4.3 million since it launched its bounty program back in 2011. For the most part, Facebook has stated that the payouts awarded have been much lower than the one given to Jani. The company states that their awards are based on the overall affect the finding of the glitch would have. The company paid out such a large sum to Jani because they knew that what he was able to do would affect every single Instagram account.
What Jani had stumbled upon was this: apparently the glitch was in Instagram’s application program interface (API). This determines how communication goes between the server and the application. The glitch was in the API because that is what makes certain that anyone wishing to delete a comment has the authority to do so. In other words, the person who holds the account. Jani discovered that the API was malfunctioning allowing anyone who wanted to the opportunity to delete anything they wanted from any account out on Instagram.
When they heard about Jani’s discovery, Facebook created a dummy Instagram account and told Jani to have at it. Well, the young ten year old did have at it and ended up with ten grand.
PHOTO CREDIT: Florian Pircher (Unsplash.com)