Published in News

10-year old for finds Instagram flaw, Facebook pays him $10,000

by on04 May 2016


By typing in malicious code, high-level bug erases comments 


On Wednesday, social media giant Facebook took a humble bow to a 10-year old Finnish lad’s code-altering skills and paid him $10,000 for discovering a high-risk flaw in its Instagram API. The bug allowed any Instagram commenter to type malicious code into the comment section of any status update and effectively delete anyone’s comments from a post.

facebook bug bounty banner

"I wanted to see if Instagram's comment field could stand malicious code. Turns out it couldn't," 10-year old Helsinki-based Jani told Finland's Iltalehti newspaper. “I could have deleted anyone’s – like Justin Bieber’s for example.”

According to Forbes, Facebook posted a comment on a test account which the Finnish lad was then able to delete by altering code on Instagram’s servers. A company spokesperson says the issue stemmed from a private API not properly checking that the person deleting a comment is the same as the one who posts it.

In 2011, Facebook began a software bug bounty program which allows individuals to cash in on any low-level, mid-risk and high-level risks they might find in company software, including Instagram. Bug discovery payouts will vary based on their perceived level of risk. In 2015, the average reward was $1,780, and therefore Facebook considers Jani’s discovery a high-level risk.

Whenever a bounty is awarded, the company provides rechargeable debit cards to speed up the payment process to successful program participants. In five years, the company has paid $4.3 million to more than 800 researchers for over 2,400 submissions. Instagram was added to the bounty program 2014.

“The Facebook bug bounty program pays out based on a bug's risk, rather than its complexity or cleverness. This means you can maximize the value of your report by focusing on high-impact areas and submitting good quality reports. We strongly recommend you check out our policy at facebook.com/whitehat before starting your investigation.”

Jani, whose last name is not mentioned, claims he learned his coding skills simply by watching YouTube instructional videos. Apparently, the early start to his education landed him $10,000. The original Finnish publication Illtalehti says he is now thinking about a career in data security, but currently plans to buy a new bike, new soccer gear, a football, and possibly some upgraded computers for himself and his twin brother with his reward money.

Of course, there is a catch to this story – Instagram’s terms of service state that its users must be 13 years or older to use the picture and video-sharing platform. Jani claims, however, he didn’t need to make an account to delete comments.

He is officially the youngest person to receive a reward from the program, a record first set by a 13-year old in 2013.

facebook bug bounty program

A rechargeable debit card awarded by Facebook's Bug Bounty Program

Last modified on 04 May 2016
Rate this item
(2 votes)

Read more about: