Facebook rewards child hacker with $10K bounty

A 10-year-old hacker in Finland found and reported a security flaw on Instagram, for which he was handsomely rewarded.

|
Kacper Pempel/Reuters/File
An illustration file picture shows a projection of binary code on a man holding a laptop computer, in an office in Warsaw.

A 10-year-old Finnish boy snagged $10,000 from Facebook for finding and reporting a security flaw he discovered on its photo- and video-sharing service Instagram. Given that the young hacker is three years shy of the age required to open an account on Facebook, he can’t even share the good news.

Jani, whose parents have asked media to withhold his last name, found a way to delete comments posted under images on other people’s accounts on Instagram. He said that he could delete anyone’s comments, even those of pop star Justin Bieber (though he didn’t), he told Finnish newspapers. 

The problem, which Facebook fixed in February, was with Instagram’s API, or application program interface, a way for developers to use Instagram data to incorporate its features into their apps. Instagram’s API is supposed to confirm that a user has the authority to delete a comment.

“That checking process wasn’t working properly,” Melanie Ensign, a security representative at Facebook, explained to The Washington Post. “You’re only supposed to be able to delete comments that you own,” she said.

It’s not unusual for Facebook, Google, Twitter, Yahoo, Microsoft, and others to court hackers with so-called bounties to help their internal teams identify and fix potential security problems – and to deter hackers from selling information about vulnerabilities to criminals or spy agencies.

Jani is among about 800 hackers who collectively have earned $4.3 million since 2011 through Facebook’s bounty program. A typical bounty is $1,780, though that’s skewed high by several huge rewards, according to The Post.

The Finn is also the youngest Facebook hacker, beating out a 13-year-old for the title, and one of the highest paid by the company.

But there have been younger hackers. The youngest appears to be Kristoffer Von Hassel from San Diego, Calif., who discovered a security flaw on the online gaming service Xbox Live in 2014, when he was five. As a reward for his discovery, Kristoffer got four video games, $50, and a year-long subscription to Xbox Live from Microsoft. 

“I was like...yeah!” the youngster told CNN affiliate KVTV-10.

Not all young hackers take the noble route and report the flaws they uncover. In October a high-school student motivated by his dislike for US foreign policy broke into the e-mails of CIA Director John Brennan and posted some of their contents on Twitter.

He was arrested by British authorities in February, reported CBS News.

There's a way to help tech-savvy kids develop their skills, while discouraging them from using them to do harm. Parents of young hackers should embrace their talent and foster it, some say, while trying to steer the kids towards hacking for good.

“Hacker kids are not like other kids,” Sabino Marquez, an information risk strategist, told The Christian Science Monitor recently. “You really have to cater to their sense of curiosity while simultaneously instilling iron-clad ethics to ensure that they do no evil,” he said.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Facebook rewards child hacker with $10K bounty
Read this article in
https://www.csmonitor.com/Technology/2016/0504/Facebook-rewards-child-hacker-with-10K-bounty
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe