Skip to content
Naked Security Naked Security

10-year-old gets $10K for comment-deleting Instagram bug

Too young to have a Facebook account, but not too young to pwn Instagram.

A 10-year-old Finnish kid just became the youngest ever to get a bug bounty from Facebook.

Jani, from Helsinki, has surprised family, friends and teachers by demonstrating how he could delete any comment from the Facebook-owned photo-sharing app Instagram – a feat for which he’s been rewarded $10,000.

He’s too young to actually have an Instagram or Facebook account, whose minimum age requirement is 13. He’s not too young to pwn Instagram, though.

Jani, whose last name hasn’t been released, told the Finnish publication Iltalehti that he could have knocked out anyone’s comments, from normal people on up to celebrities:

I would have been able to eliminate anyone, even Justin Bieber.

Facebook told Forbes that Jani verified his report by deleting a comment the company posted on a test account.

According to a spokesperson, Facebook confirmed the bug was patched in late February. Facebook handed Jani his $10,000 reward in March.

The problem lay in a private application programming interface (API) that allows certain outside access. The code hadn’t been properly checking the identity of the person deleting a comment to verify that it was the same one who posted it, the spokesperson said.

The $10,000 bounty is a sizable one, given that the starting payout in Facebook’s bounty program is $500.

But it’s peanuts compared to what a researcher thought his bug was worth when he claimed, in December, to have discovered “Instagram’s Million Dollar Bug.”

Uhh… no, Facebook said: multiple people found it, but we can give you $2,500 anyway. The company wound up paying out even less for that $1 million bug – the grand total of zilch – since it figured the researcher crossed the line of responsible, ethical bug reporting to “rummage” through data.

Other code slip-ups that have been found in Instagram recently include a bug, since patched, that could have allowed others to read your direct messages.

Then too, there was the burglar who used Instagram location data to find victims’ homes and steal a motley mix of the usual – electronics – and the “whaaaa..???” – including underwear.

Which isn’t an Instagram bug, of course, but, well, underwear. Plus, it’s a good excuse to read up on smartphone privacy and security.

According to Facebook’s latest update, it’s paid out more than $4.3 million to more than 800 researchers around the world.

Last year, it received 13,233 submissions and paid out $936,000 to 210 researchers for a total of 526 reports.

The average payout was $1,780. The countries that claimed the most recipients were India, Egypt, and Trinidad and Tobago.

Jani has stolen the title of youngest recipient from a 13-year-old.

He plans to buy a bike, he told Iltalehti. And a football.

4 Comments

Next up… 3 year old hacks NSA and gets hired by the US Pentagon!

I’m really getting tired of these crap stories that have no real “bones in their meat”… Can’t believe people fall for them.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?