10-Year-Old Receives $10K Facebook Bug Bounty For Finding Instagram Comment Flaw

Image courtesy of Poster Boy

Since Facebook launched its bug bounty program in 2011, the social media company has divvied up more than $4.3 million, including the $10,000 recently awarded to a 10-year-old who found a vulnerability in Facebook-owned Instagram. 

The Washington Post reports that the 10-year-old hacker from Finland received $10,000 and became the youngest person to garner a payment from Facebook’s bug bounty program.

The youngster — who is too young to actually have an account on Facebook or Instagram, per the network’s rules — uncovered a vulnerability in February that allowed anyone to delete comments on Instagram simply by inputting a malicious code into the photo sharing site.

“I tested whether the comments section of Instagram can handle harmful code. Turns out it can’t,” the hacker told the local Finnish paper, Iltalehti. “I noticed that I can delete other people’s comments from there. I could have deleted anyone’s—like Justin Bieber’s, for example—comments.”

The boy didn’t delete Bieber’s comments, and instead notified Facebook of the issue.

The bug was an issue with Instagram’s application program interface, or API — how the app communicates with a server, Melanie Ensign, a security representative at Facebook, tells the Post, noting the flaw was fixed in February.

If someone wanted to erase a remark from Instagram, the API checks that they have the authority to delete the comment.

“That checking process wasn’t working properly,” Ensign said. “You’re only supposed to be able to delete comments that you own.”

Once Facebook was notified of the issue, the company says it created a test Instagram account and posted a comment. They then instructed the boy to delete it, which he was easily able to do.

As for the hefty reward the youngster pocketed, Ensign says Facebook bases bounties on the scope of risk, and that the Finnish boy’s find “would have impacted everybody on Instagram.”

Ars Technica reports that the boy’s feat makes him the youngest hacker to receive a reward for finding a flaw. The previous record holder was a California 12-year-old who found an issue with Mozilla in 2012.

Facebook pays 10-year-old Finnish genius $10,000 for exposing flaw in Instagram [The Washington Post]
10-year-old gets $10,000 bounty for finding Instagram vulnerability [Ars Technica]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.