Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Paid $10,000 To A 10-Year-Old For Hacking Instagram (thenextweb.com)

Posted by BeauHD on from the bounty-program dept.

An anonymous reader writes: Facebook has paid $10,000 to a 10-year-old hacker who discovered how one could hack into Instagram and delete comments made by users. Speaking to local publication Iltalehti, Jani said: "I would have been able to eliminate anyone, even Justin Bieber." The Finnish hacker just became the youngest person to receive cash from Facebook for hacking its products. The previous record was set by a 13-year-old back in 2013. What's funny is Jani isn't technically old enough to sign-up and use Facebook or Instagram, as it's supposed to be restricted to those under the age of 13. Jani found he could alter code on Instagram's servers and force-delete users' posts. This was confirmed by Facebook using a test account and patched in February, Facebook told Forbes. Facebook has received more than 2,400 valid submissions and awarded upwards of $4.3 million to over 800 researchers since the bounty program launched in 2011.

62 comments

  1. What would be the approximate method? by ceview · · Score: 1

    Any one know how or what the vector or method might be?

  2. Obligatory XKCD by Anonymous Coward · · Score: 0

    A 10yo with god level access to social media made me think of this...
    Locke and Demosthenes

  3. missed opportunity! by Gravis+Zero · · Score: 4, Funny

    "I would have been able to eliminate anyone, even Justin Bieber."

    ah hell, i would have paid him $20K if he actually had. *sigh*

    --
    Anons need not reply. Questions end with a question mark.
  4. Re:Simple question by Z80a · · Score: 1

    Well, it can entertain entertain someone and make this someone less bored and productive, as well, its a quite fun story.
    But seems like it did the opposite effect on you.

  5. $10K to Facebook is cheap! by FlyHelicopters · · Score: 4, Insightful

    Frankly, this is smart on Facebook's part... For $10K they avoided a serious flaw in their systems that they didn't catch. Had they not offered the money, he might not have told them.

    Or he might have, but better safe than sorry.

    10 years old? Sheesh, Facebook should hire the kid! :)

    1. Re:$10K to Facebook is cheap! by ttyX · · Score: 2

      They sure did get off cheap here. The bounty doesn't seem reasonable considering the severity.

    2. Re: $10K to Facebook is cheap! by Anonymous Coward · · Score: 0

      Well, if you had been in the parents' place what would you have done? "Accept this generous offer of $10000 now and be publicly happy about it, or suffer having your whole family deported to the US where you will be thrown into a prison pit to be defecated upon night and day while your kid is given up for adoption to pedophiles."

    3. Re:$10K to Facebook is cheap! by Anonymous Coward · · Score: 0

      Is it the talent of the 10-year-old or is it the poor quality of Instagram?

    4. Re:$10K to Facebook is cheap! by Anonymous Coward · · Score: 0

      Yes.

    5. Re:$10K to Facebook is cheap! by ZouPrime · · Score: 1

      Funny how this is always the narrative taken. Either the kid is a genius, or the Big Internet Company sucks. Never is it suggested that hacking is so easy, 10 years old can do it.

    6. Re:$10K to Facebook is cheap! by Anonymous Coward · · Score: 0

      FB security is so crappy, a 10 year old can break it!

      I mean really, how can this even be possible?

    7. Re:$10K to Facebook is cheap! by Anonymous Coward · · Score: 1

      Never is it suggested that hacking is so easy, 10 years old can do it.

      ... BECAUSE the Big Internet Company sucks. Look, billion-dollar companies can buy loads of security experts who really know their stuff. These people have been studying security a lot longer than Junior has been alive. They know how to audit and test systems, preferably before going live. But you keep more of those billions by going el-cheapo. You get what you pay for.

      Facebook sucks more than Generic_Internet_Corp for a variety of reasons. Zuckerberg's hostile and condescending attitude towards his own users is one of them, the whole arrangement of "you are the product" is another, the fact they are using children now to escape the expense of hiring proper security staff is yet another.

    8. Re:$10K to Facebook is cheap! by Anonymous Coward · · Score: 1

      10 years old? Sheesh, Facebook should hire the kid! :)

      Reeks of one of those cases, where it was actually the parents who did all the work and then attributed all credit to their kid.

    9. Re:$10K to Facebook is cheap! by ZouPrime · · Score: 1

      "Billion-dollar companies" face the exact same security issues and get hacked by 10 years old kid (or their equivalent) all the time. And their "top" security experts can't do much about it. I know, I'm one and I work for one.

      The reason these companies fail isn't because their personnel sucks, but because hiking IS easy. Or, more precisely: the cost (in term of time, effort, expertise, etc.) to hack one of the many systems a typical big company has is completely dwarfed by the cost of securing those systems. The asymmetry between the two investment is so profound, we're not even thinking anymore in term of preventing hacks, we've moved toward a model where we want to minimize their amount and detect them as fast as possible, because we literally can't do better.

    10. Re:$10K to Facebook is cheap! by Anonymous Coward · · Score: 0

      You mean current languages weren't designed with security mind. If making insecure systems is so easy that everyone is doing it whether they want to or not, then that implies the tooling and languages aren't advanced enough. You can change the SQL interface to make SQL-injection impossible. Do most APIs do that? No. Simply adding an less riskier function to call isn't acceptable. The risky ones need to be completely removed and the less riskier one should have been designed to give no risk.

    11. Re:$10K to Facebook is cheap! by ZouPrime · · Score: 1

      Adopting new coding language is part of the long-term solution, yes, but that's only a small portion of the solution. Security isn't all about software vulnerabilities.

    12. Re:$10K to Facebook is cheap! by zlives · · Score: 1

      but kinda sorta mostly is when considering hacking is a remote activity... typically.

  6. Re:Simple question by wonkey_monkey · · Score: 3, Insightful

    How does a 10 year old getting paid $10k by Facebook affect my life or most people's lives in any significant manner? I'd really like to know.

    Again, I would ask why you think it matters to anyone that you, personally, aren't interested in this particular story.

    Slashdot isn't here to cater to your personal tastes. If you're not interested in a particular story, just ignore it, you moron.

    I expect I'll be downmodded into the oblivion of -1 because nobody can give me a good answer.

    No, you'll get downmodded because it's a stupid question from an idiot.

    --
    systemd is Roko's Basilisk.
  7. 2400 in 5 years? by Anonymous Coward · · Score: 1

    That's approaching Microsoft's territory.. and their codebase is substantially larger and more complex. How are those H1-B workers doing, Mark? Getting what you're paying for?

  8. Cool story, Bro by Anonymous Coward · · Score: 0

    Really nice of them. Still, fuck FB and the sick privacy-chewing pony Zuck came in on.

  9. Try him like an adult by Anonymous Coward · · Score: 1

    then lock him up for twenty without parole. He's a hacker, it's the law!

  10. Re:Simple question by Anonymous Coward · · Score: 0

    Why should the news only deliver stories that specifically and meaningfully impact your life? Nobody really cares.
     
    I expect I'll be downmodded because in the time it takes to refute such a stupid argument someone could have done something more productive, like defecating or trimming the hedges. I'm prepared for nobody to reply to me because you're a much better troll than me. I expect this as much because not replying to me instantly implies that you're gay and love socialism and support child molestors (citation needed).
     
    Can anyone give me an answer why the news should only deliver stories that cater specifically to what this one individual want to see? I don't think you can.

  11. 2400 security issues in 5 years by El_Muerte_TDS · · Score: 3, Interesting

    That's more than 1 a day. Maybe Facebook should improve their software development.
    And with 1 security issue a day do you really want to put your "private" info on that system.

    1. Re:2400 security issues in 5 years by drinkypoo · · Score: 2

      And with 1 security issue a day do you really want to put your "private" info on that system.

      I have never understood why anyone has ever used anything other than "public" on social networking, because the only safe thing is to assume that it's all public anyway.

      With that said, I picked up a habit for public blathering with my first website when I was 15, and the web was shiny and new. It doesn't seem to be going away.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:2400 security issues in 5 years by tlhIngan · · Score: 1

      I have never understood why anyone has ever used anything other than "public" on social networking, because the only safe thing is to assume that it's all public anyway.

      Because Facebook is good at marketing.

      The only reason you have privacy controls is because the illusion of privacy results in people giving up more information for you to harvest than if they didn't.

      The adage of never posting online what you don't want the world to know has always been true (at least since the 80s, probably since earlier) but privacy controls are an illusion, one that people keep falling for.

      Ever notice how all the "be safe online" tips always say to use privacy controls? None of them ever really say as the first step "don't post it online"

    3. Re:2400 security issues in 5 years by Anonymous Coward · · Score: 0

      And with 1 security issue a day do you really want to put your "private" info on that system.

      I have never understood why anyone has ever used anything other than "public" on social networking, because the only safe thing is to assume that it's all public anyway.

      With that said, I picked up a habit for public blathering with my first website when I was 15, and the web was shiny and new. It doesn't seem to be going away.

      As a member of several non argumentative atheist groups, because if they are in a very religious area like much of the Muslim world, or in parts of the Christian world like parts of Africa, south and central America and even the Philippines can literally mean the difference between life and death when all you want to do is find someone to talk to.

  12. Re: Simple question by Thanshin · · Score: 1, Insightful

    No. The post was modded down because "how does this affect my tiny little world" is your version of "Frosty Piss".

    You already know the answer: "Nobody cares whether this affects you or not, because nobody cares about you in general."

    Good bye. I'll read you again when you manage to reach a (Score:1)

  13. Under 13 by l0n3s0m3phr34k · · Score: 1

    well, it seems he didn't actually need to have a FB or Instagram account to do any of this, so perhaps he never even had an account on either.

    1. Re:Under 13 by tomhath · · Score: 2

      But his parents did. Do you really think the kid found the hack? Or maybe he got a little assistance?

    2. Re:Under 13 by Anonymous Coward · · Score: 1

      But his parents did. Do you really think the kid found the hack? Or maybe he got a little assistance?

      The cynic in me also notes that if the bounty money is counted as income, and since Finland has progressive taxation, the tax on this would be significantly smaller due to having no income at the age of 10.

    3. Re:Under 13 by l0n3s0m3phr34k · · Score: 1

      They did? That's not mentioned in TFA, nor on the original Forbes article either. Do you know this kid personally, or just guessing?

  14. UKism? by LMariachi · · Score: 4, Interesting

    > it's supposed to be restricted to those under the age of 13

    Is this an Anglicanism I don't know about? In U.S. English, "restricted to" means "only allowed for," e.g. "R-rated movies are restricted to viewers over 17." Viewers under 17 are restricted from viewing them.

    1. Re:UKism? by Anonymous Coward · · Score: 0

      Not a UK thing, it's simply wrong.

      Also, why do you assume it's written by someone from the UK? I can't see anything in the summary that indicates this.

    2. Re:UKism? by Dog-Cow · · Score: 1

      He didn't assume it. He was asking if the phrase meant the opposite in UK English as it does in US English. If so, he would then have concluded that the author of the summary (or article) was British.

    3. Re:UKism? by Scarred+Intellect · · Score: 1

      Seems perfectly acceptable (I'm in the US, born and raised). To those under 13, it's restricted. Try not to overcomplicate things.http://www.merriam-webster.com/dictionary/restricted

    4. Re:UKism? by Anonymous Coward · · Score: 0

      Restricted to those under the age of 13, not "restricted from those under the age of 13".

      Do try to keep up.

    5. Re:UKism? by Anonymous Coward · · Score: 1

      This is one of those cases where TFS is accidentally correct. Once you turn 13, you should no longer be on Facebook or Instagram.

    6. Re:UKism? by n6kuy · · Score: 2

      You're right. In American English anyway.

      "Restricted to X" means available only to X.

      --
      If you disagree with me on social issues, then it's pretty clear that you are a narrow-minded bigot.
  15. How did he do it? by Anonymous Coward · · Score: 3, Insightful

    TFA gave a lot of useless information and stats but nothing actually of interest.

    How did he do it seems like a more appropriate question.

    1. Re:How did he do it? by wwalker · · Score: 1

      In all likelihood, this part of the story isn't even public. I highly doubt Facebook/Instagram released the technical details of the hack, and since the hacker got paid, I don't think he'll be sharing that info either. By the way, this part in the summary is particularly troubling: "Jani found he could alter code on Instagram's servers and force-delete users' posts." He could alter code on the servers? I kind of hope it was just journalists misrepresenting the truth, and it was just a simple case of the URL parameters not being sanitized correctly or something. I takes a special degree of fuckupness to allow rewriting of code on the server.

  16. Lol, even kids hack it by Anonymous Coward · · Score: 1

    Sadly after Finnish taxes that's more like $4000...

    Also is int that bit embarrassing for big tech company that even kid can literally hack it?

  17. Re:Simple question by EmeraldBot · · Score: 0

    Slashdot isn't here to cater to your personal tastes. If you're not interested in a particular story, just ignore it, you moron.

    Yes, you are right of course. The users of a site (that is - the only ones who give that site any ability to make money via ads and paid accounts) should never, ever question any decision made by that site. They should certainly never question such things using the most reasonable and effective means available to them - by posting on that site using the Post button provided by the site itself. I mean, they should never get so carried away as to do something so strange and extreme!

    By the way, you could apply your own logic about stories that get posted, to the comments that get posted. Perhaps posters of comments also aren't here to cater to your personal tastes, or your personal ideas of what they should or shouldn't post about. You could have ignored that.

    Does that make you a moron? Or are you somehow ... a special case?

    You made a stupid and pointless comment, and now you're upset that some people think that? Stories that should be questioned have no relevance to technology, and this most certainly does. You haven't even backed up your point at all besides "eh, I don't like it", and guess what, that's not a good reason for a public newsfeed. Furthermore, you don't have the right to challenge him, because you begged the question:

    Can anyone give me a good answer as to how this affects anyone other than the 10 year old? I don't think you can.

    He was responding to your invitation, so don't even start that he should ignore you. Furthermore, as an anon, you clearly checked back to see if he wrote because you wouldn't get a notification - so not only do you care enough to read the story, not only do you care enough to write an irate comment, but you cared enough to check back and see if anyone had responded. Let's all be honest here, you're a cranky person suffering from a hangover and came here looking to pick a fight, not to contribute anything to the discussion.

    --
    "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
  18. That's the reason for these programs in the first by waspleg · · Score: 2, Interesting

    place - that they don't have to hire anyone. It's another form of temp worker program. They don't owe benefits don't owe pension or 401k matching nor do they even have the possibility of being sued despite the kid being too young to work basically anywhere.

    How much would they have paid a professional security firm or on staff IT to audit them and get this result?

  19. Re: Simple question by Anonymous Coward · · Score: 1

    You know that cows guy? After like 10 years of reading this site, I think it finally hit me - you're all fucking cows! No human would argue such ridiculous shit on the Internet when they have much better human things to do.

  20. What happens under TPP? by Anonymous Coward · · Score: 1

    Would this kind of activity become illegal under TPP? Not just this particular example, but Facebook's bounty program in general? If the kid is from a country that refuses to sign TPP, could he still be prosecuted?

    1. Re:What happens under TPP? by Joe_Dragon · · Score: 1

      under the TPP they can say that 10K year is a good wage and that the US min wage is to high under a investor state dispute

  21. Re:Simple question by Wovel · · Score: 2

    Pro tip. Create an account and log in to post. For many (perhaps most or even all) people, posts by ACs start at -1. This is sensible since most AC posts are completely worthless. Since there is really nothing in your post to suggest it should be significantly modded up, you are likely stuck in that hole.

  22. Re: Simple question by Wovel · · Score: 0

    Your post started at -1 because like so many others you are a coward.

  23. funny by Anonymous Coward · · Score: 1

    how they pay some while deny others

  24. Re:Simple question by TheRaven64 · · Score: 1

    Do you use Facebook? If so, you're entrusting data to a system written by people who write code that a 10-year-old can compromise.

    --
    I am TheRaven on Soylent News
  25. Only $10,000? by twmcneil · · Score: 2

    Cheap Bastards.

    --
    "The ferrets, they're every where I tell you!"
    1. Re: Only $10,000? by jmcvetta · · Score: 1

      What do you expect from a VC-backed company? The big bucks are for people with the right family connections, not for lowly plebs like this kid.

  26. Re:Simple question by Anonymous Coward · · Score: 0

    It's amazing when you observe how people behave. It really truly is. You just provided a good example.

    Generally people will come up with any and every reason for why their own logic should not be applied to themselves. You can especially witness this in people with even a little authority (gov't or corporate). Do as I say, not as I do. What's good for the goose is not good for the gander. Somehow when I do the same thing, well now that's completely different. When you call them on it, all sorts of hand-waving follows, anything other than "say that's a good point". People have egos, which is one thing - people tend to love their egos more than the truth, which is the cause of the problem.

    Most people are like this, so they will naturally tend to support others who are like this. It reinforces and legitimizes the behavior to see others doing it. Being a weakness, it does need this kind of support. So the mods support you too and moderate accordingly, as if that "proves" that one's own logic should not apply to oneself, as if the person who questions that is somehow the problem. Why? Because that's uncomfortable?

    Just consider - how often do you see anyone here say something like "wow that's a great point, I was totally mistaken" and then stop with the old view? You generally don't. Which explanation do you find more plausible: everyone here is always correct and never fails to catch their own flaws - or - hypocrisy is a problem and tends to reinforce itself? One of those explanations is possible, the other is not. But whatever. Mod me down too, that'll fix it up. I might be Anonymous but you, sir, are the real coward.

  27. Daddy must be good with computers. by Anonymous Coward · · Score: 0, Troll

    Sorry, but I just don't buy that a 10 year old found this. I would bet money that daddy or mommy is the one that found the issue and they submitted it through the kid to make the kid seem brilliant. Got the kid an instant 15 minutes of fame anyway.

  28. Impressive But... by Anonymous Coward · · Score: 0

    Perhaps now they can pay someone how to figure out why you cannot Block Upvote Farmers nor Report them.or Scammers or Fake News Articles.

  29. selfish prick by Anonymous Coward · · Score: 0

    He could have contributed massively to the betterment of mankind by eradicating one of the scourges of our time. Instead he took the measly 10K.

    What a prick.

  30. Please by Anonymous Coward · · Score: 0

    Proofread your summaries before posting them. Twice. Thanks.

  31. He should have taken an alarm clock apart by wyattstorch516 · · Score: 1

    Then put the innards into a suitcase. That would have gotten him a scholarship offer from MIT and an invitation to the White House.