A Finnish boy received a Facebook bug bounty reward, although he’ll have to wait three years before he’s old enough to humblebrag about it on the social media platform. Ten-year-old Jani, whose last name isn’t being shared at the request of his parents, uncovered a way to delete any given comment on Instagram, the photo-sharing company which Facebook bought for $1 billion in 2012.
The flaw Jani exposed gave him the power to erase anyone’s comments, even those posted by “Justin Bieber,” the New York Daily News reports. He left Bieber alone, however, tipping off Facebook instead. Facebook says it fixed the flaw in February.
The Finnish boy was compensated by Facebook to the tune of $10,000. Jani sets a new hacking record as the youngest bug bounty hunter recognized by Facebook; previously that title belonged to a 13-year-old. With the loot he scored from Facebook, Jani plans to buy exactly what a 10-year-old with a ten grand windfall would dream of: soccer gear, a new bike and computers for himself and his twin brother.
This reward puts Jani in the upper tier of hackers Facebook has paid for finding bugs. Since the company launched its bounty program in 2011, Facebook says it has paid out some $4.3 million to over 800 researchers.
Melanie Ensign, a security representative at Facebook, said that most of those payouts are much smaller amounts. The reported $1,780 average reward skews high, she said, with a cluster of very large payouts obscuring the typical sum.
“We base our bounties on the scope of the risk, rather than the novelty or sophistication,” Ensign said. The flaw that Jani found “would have impacted everybody on Instagram.”
It’s not clear how the Finnish boy discovered the Facebook vulnerability. Jani and his brother had a habit of watching videos about computer security on YouTube, FOX News reported. The bug was an issue with Instagram’s application program interface, or API - how the app communicates with a server. If you want to erase a remark from Instagram, the API checks that you have the authority to delete the comment.
“That checking process wasn’t working properly,” Ensign said. “You’re only supposed to be able to delete comments that you own.”
After Jani told Facebook about his hack, the company created a test Instagram account and posted a comment. All right, Facebook told him, go delete the comment. So he did.
To hear Ensign say it, Jani’s approach was completely ethical - the 10-year-old hacker had neither ulterior motive nor Guy Fawkes mask. He hasn’t even violated Instagram’s terms and conditions, which require that users must be at least 13 . (Jani’s hack did not require him to sign in or even create an account.) If he had made an account, Ensign said, he may have forfeited his claim for a reward. In the past, Facebook has denied rewards to hackers who found flaws but committed other violations, perhaps most famously snubbing the Palestinian computer researcher who commandeered Mark Zuckerberg’s personal page.
ABC News said the Finnish boy hopes the Facebook reward will launch him into a career in computer security, telling Iltalehti that this would be his “unelma-ammatti” - dream job.