Finnish boy, 10, gets $14k Facebook bounty

The boy found that he could delete other people's comments when he input malicious code into Instagram's comment field.
The boy found that he could delete other people's comments when he input malicious code into Instagram's comment field.PHOTO: BLOOMBERG

HELSINKI • A 10-year-old Finnish boy has received a US$10,000 (S$14,000) bounty from Instagram after finding a security fault in the service, Finnish daily Iltalehti reported on Tuesday.

The boy, whose name is Jani, discovered the security vulnerability in the mobile photo-sharing service owned by Facebook early this year, said the daily, according to a Xinhua report.

He found that he could delete other people's comments when he input malicious code into the comment field of the application.

He reported the bug by e-mail, providing proof by deleting a message from one of Facebook's test Instagram accounts. The bug was fixed in February and Facebook paid him the bounty in March, reported Forbes.

According to a Facebook spokesman, the problem was a slice of code that failed to check that the person who deleted a comment was the same one who posted it.

The boy said he had been enthusiastic about coding games for years and was building up his skills on his own, and with his twin brother.

According to a Facebook spokesman, the problem was a slice of code that failed to check that the person who deleted a comment was the same one who posted it.

"I would have been able to remove anyone, even Justin Bieber," Jani told Iltalehti.

Jani's father said he was very surprised that his son had learnt so much about coding and data security, according to the Xinhua report.

The boy said he dreamt of becoming an information security expert in the future.

"It would be my dream job. Security is really important," Jani was quoted as saying.

He is the youngest person to be paid through the bug bounty programme on Facebook so far, but while the achievement is impressive, it is not new. Facebook gets reports from time to time, and it is not uncommon in the tech industry.

Previously, the youngest person to be paid a Facebook bug bounty was 13, reported Forbes.

Facebook has awarded more than US$4.3 million to more than 800 researchers around the world under its bug bounty programme. Last year, it paid US$936,000 to 210 researchers for 526 reports.

A version of this article appeared in the print edition of The Straits Times on May 05, 2016, with the headline 'Finnish boy, 10, gets $14k Facebook bounty'. Print Edition | Subscribe