Instagram pwned by 10-year-old Finn Jani -- Facebook pays $10,000

Instagram owner Facebook pays Finnish lad ten grand. Zuck trolls hundreds of other researchers: They only got $500.

Instagram Facebook

Instagram hacked by Jani, so Facebook gave him $10,000 because of his white-hat stylee. Also, it's good PR to be seen to reward a 10-year-old proto-researcher.

Facebook paid the bug bounty to the pseudonymous kid from Finland for a vulnerability that could allow anyone to delete any comment, anywhere on the Instagram service. Zuckerberg's crew figured that was a serious problem, which demands a lot more than their usual derisory $500 token.

In IT Blogwatch, bloggers picture this. Not to mention: Finland, Finland, Finland

Your humble blogwatcher curated these bloggy bits for your entertainment. And his own, natch.

What’s the craic? Hanna Gråsten is lost in translation—Jani discovered a vulnerability in Instagram:

Helsinki-based 10-year-old Jani discovered [the] vulnerability in March. ... "I found that I can delete other people's comments," Jani told [me].

After a couple of days, Instagram responded...that the vulnerability has been fixed. As a thank you [he] was paid $10,000 (EUR 9043). ... His father was astonished.

Cunning, eh? Thomas Fox-Brewster agrees—10-Year-Old Hacks Instagram:

Jani (full name not revealed) [is] the youngest ever recipient of a Facebook bug bounty. [The] vulnerability...allowed him to delete any comment on the photo sharing application.

Facebook [said] Jani verified his report by deleting a [test] comment the company posted. ... The problem lay in a private [API] that wasn’t properly checking that the person deleting the comment was who posted it.

The previous youngest recipient of a bounty was just 13. ... Given Jani’s auspicious start, he could become a top whitehat hacker.

How does $10K compare to other bounties? Ben Guarino counts $10,000 for exposing flaw in Instagram:

Facebook compensated [him] or, more accurately, his parents on Jani’s behalf. [It] puts Jani in the upper tier of hackers Facebook has paid. ... Facebook says it has paid out some $4.3 million to over 800 researchers. ... Most of those payouts are much smaller amounts.

“We base our bounties on the scope of the risk,”...Melanie Ensign, a security representative at Facebook...said. The flaw...“would have impacted everybody on Instagram.”

Impressive stuff. And Charlie Osborne lugs the story onward—security flaw:

Facebook awards researchers a minimum of $500 per valid disclosure. ... Jani's bug was considered impressive enough to warrant...$10,000.

What does Jani...plan to do with his winnings? Buy a new PC and bike, of course.

Meanwhile, what's going on in Finland to breed such young hackers? Iain Thomson looks back a couple of months—Facebook bungs 10-year-old kid $10k:

In March, HackerOne CEO Mårten Mickos...who is also Finnish, said the Suomi state is pulling well above its weight...having given us Linus Torvalds, Nokia [and] Monty Widenius. ... He attributed this to its excellent school system, fast and cheap internet...and long, cold, dark Finnish winters.

And Finally…

Michael Palin sings about Finland (badly)

You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or
Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.

Copyright © 2016 IDG Communications, Inc.

Shop Tech Products at Amazon