Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Paid $10,000 To A 10-Year-Old For Hacking Instagram (thenextweb.com)

Posted by BeauHD on from the bounty-program dept.

An anonymous reader writes: Facebook has paid $10,000 to a 10-year-old hacker who discovered how one could hack into Instagram and delete comments made by users. Speaking to local publication Iltalehti, Jani said: "I would have been able to eliminate anyone, even Justin Bieber." The Finnish hacker just became the youngest person to receive cash from Facebook for hacking its products. The previous record was set by a 13-year-old back in 2013. What's funny is Jani isn't technically old enough to sign-up and use Facebook or Instagram, as it's supposed to be restricted to those under the age of 13. Jani found he could alter code on Instagram's servers and force-delete users' posts. This was confirmed by Facebook using a test account and patched in February, Facebook told Forbes. Facebook has received more than 2,400 valid submissions and awarded upwards of $4.3 million to over 800 researchers since the bounty program launched in 2011.

40 of 62 comments (clear)

  1. What would be the approximate method? by ceview · · Score: 1

    Any one know how or what the vector or method might be?

  2. missed opportunity! by Gravis+Zero · · Score: 4, Funny

    "I would have been able to eliminate anyone, even Justin Bieber."

    ah hell, i would have paid him $20K if he actually had. *sigh*

    --
    Anons need not reply. Questions end with a question mark.
  3. Re:Simple question by Z80a · · Score: 1

    Well, it can entertain entertain someone and make this someone less bored and productive, as well, its a quite fun story.
    But seems like it did the opposite effect on you.

  4. $10K to Facebook is cheap! by FlyHelicopters · · Score: 4, Insightful

    Frankly, this is smart on Facebook's part... For $10K they avoided a serious flaw in their systems that they didn't catch. Had they not offered the money, he might not have told them.

    Or he might have, but better safe than sorry.

    10 years old? Sheesh, Facebook should hire the kid! :)

    1. Re:$10K to Facebook is cheap! by ttyX · · Score: 2

      They sure did get off cheap here. The bounty doesn't seem reasonable considering the severity.

    2. Re:$10K to Facebook is cheap! by ZouPrime · · Score: 1

      Funny how this is always the narrative taken. Either the kid is a genius, or the Big Internet Company sucks. Never is it suggested that hacking is so easy, 10 years old can do it.

    3. Re:$10K to Facebook is cheap! by Anonymous Coward · · Score: 1

      Never is it suggested that hacking is so easy, 10 years old can do it.

      ... BECAUSE the Big Internet Company sucks. Look, billion-dollar companies can buy loads of security experts who really know their stuff. These people have been studying security a lot longer than Junior has been alive. They know how to audit and test systems, preferably before going live. But you keep more of those billions by going el-cheapo. You get what you pay for.

      Facebook sucks more than Generic_Internet_Corp for a variety of reasons. Zuckerberg's hostile and condescending attitude towards his own users is one of them, the whole arrangement of "you are the product" is another, the fact they are using children now to escape the expense of hiring proper security staff is yet another.

    4. Re:$10K to Facebook is cheap! by Anonymous Coward · · Score: 1

      10 years old? Sheesh, Facebook should hire the kid! :)

      Reeks of one of those cases, where it was actually the parents who did all the work and then attributed all credit to their kid.

    5. Re:$10K to Facebook is cheap! by ZouPrime · · Score: 1

      "Billion-dollar companies" face the exact same security issues and get hacked by 10 years old kid (or their equivalent) all the time. And their "top" security experts can't do much about it. I know, I'm one and I work for one.

      The reason these companies fail isn't because their personnel sucks, but because hiking IS easy. Or, more precisely: the cost (in term of time, effort, expertise, etc.) to hack one of the many systems a typical big company has is completely dwarfed by the cost of securing those systems. The asymmetry between the two investment is so profound, we're not even thinking anymore in term of preventing hacks, we've moved toward a model where we want to minimize their amount and detect them as fast as possible, because we literally can't do better.

    6. Re:$10K to Facebook is cheap! by ZouPrime · · Score: 1

      Adopting new coding language is part of the long-term solution, yes, but that's only a small portion of the solution. Security isn't all about software vulnerabilities.

    7. Re:$10K to Facebook is cheap! by zlives · · Score: 1

      but kinda sorta mostly is when considering hacking is a remote activity... typically.

  5. Re:Simple question by wonkey_monkey · · Score: 3, Insightful

    How does a 10 year old getting paid $10k by Facebook affect my life or most people's lives in any significant manner? I'd really like to know.

    Again, I would ask why you think it matters to anyone that you, personally, aren't interested in this particular story.

    Slashdot isn't here to cater to your personal tastes. If you're not interested in a particular story, just ignore it, you moron.

    I expect I'll be downmodded into the oblivion of -1 because nobody can give me a good answer.

    No, you'll get downmodded because it's a stupid question from an idiot.

    --
    systemd is Roko's Basilisk.
  6. 2400 in 5 years? by Anonymous Coward · · Score: 1

    That's approaching Microsoft's territory.. and their codebase is substantially larger and more complex. How are those H1-B workers doing, Mark? Getting what you're paying for?

  7. Try him like an adult by Anonymous Coward · · Score: 1

    then lock him up for twenty without parole. He's a hacker, it's the law!

  8. 2400 security issues in 5 years by El_Muerte_TDS · · Score: 3, Interesting

    That's more than 1 a day. Maybe Facebook should improve their software development.
    And with 1 security issue a day do you really want to put your "private" info on that system.

    1. Re:2400 security issues in 5 years by drinkypoo · · Score: 2

      And with 1 security issue a day do you really want to put your "private" info on that system.

      I have never understood why anyone has ever used anything other than "public" on social networking, because the only safe thing is to assume that it's all public anyway.

      With that said, I picked up a habit for public blathering with my first website when I was 15, and the web was shiny and new. It doesn't seem to be going away.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:2400 security issues in 5 years by tlhIngan · · Score: 1

      I have never understood why anyone has ever used anything other than "public" on social networking, because the only safe thing is to assume that it's all public anyway.

      Because Facebook is good at marketing.

      The only reason you have privacy controls is because the illusion of privacy results in people giving up more information for you to harvest than if they didn't.

      The adage of never posting online what you don't want the world to know has always been true (at least since the 80s, probably since earlier) but privacy controls are an illusion, one that people keep falling for.

      Ever notice how all the "be safe online" tips always say to use privacy controls? None of them ever really say as the first step "don't post it online"

  9. Re: Simple question by Thanshin · · Score: 1, Insightful

    No. The post was modded down because "how does this affect my tiny little world" is your version of "Frosty Piss".

    You already know the answer: "Nobody cares whether this affects you or not, because nobody cares about you in general."

    Good bye. I'll read you again when you manage to reach a (Score:1)

  10. Under 13 by l0n3s0m3phr34k · · Score: 1

    well, it seems he didn't actually need to have a FB or Instagram account to do any of this, so perhaps he never even had an account on either.

    1. Re:Under 13 by tomhath · · Score: 2

      But his parents did. Do you really think the kid found the hack? Or maybe he got a little assistance?

    2. Re:Under 13 by Anonymous Coward · · Score: 1

      But his parents did. Do you really think the kid found the hack? Or maybe he got a little assistance?

      The cynic in me also notes that if the bounty money is counted as income, and since Finland has progressive taxation, the tax on this would be significantly smaller due to having no income at the age of 10.

    3. Re:Under 13 by l0n3s0m3phr34k · · Score: 1

      They did? That's not mentioned in TFA, nor on the original Forbes article either. Do you know this kid personally, or just guessing?

  11. UKism? by LMariachi · · Score: 4, Interesting

    > it's supposed to be restricted to those under the age of 13

    Is this an Anglicanism I don't know about? In U.S. English, "restricted to" means "only allowed for," e.g. "R-rated movies are restricted to viewers over 17." Viewers under 17 are restricted from viewing them.

    1. Re:UKism? by Dog-Cow · · Score: 1

      He didn't assume it. He was asking if the phrase meant the opposite in UK English as it does in US English. If so, he would then have concluded that the author of the summary (or article) was British.

    2. Re:UKism? by Scarred+Intellect · · Score: 1

      Seems perfectly acceptable (I'm in the US, born and raised). To those under 13, it's restricted. Try not to overcomplicate things.http://www.merriam-webster.com/dictionary/restricted

    3. Re:UKism? by Anonymous Coward · · Score: 1

      This is one of those cases where TFS is accidentally correct. Once you turn 13, you should no longer be on Facebook or Instagram.

    4. Re:UKism? by n6kuy · · Score: 2

      You're right. In American English anyway.

      "Restricted to X" means available only to X.

      --
      If you disagree with me on social issues, then it's pretty clear that you are a narrow-minded bigot.
  12. How did he do it? by Anonymous Coward · · Score: 3, Insightful

    TFA gave a lot of useless information and stats but nothing actually of interest.

    How did he do it seems like a more appropriate question.

    1. Re:How did he do it? by wwalker · · Score: 1

      In all likelihood, this part of the story isn't even public. I highly doubt Facebook/Instagram released the technical details of the hack, and since the hacker got paid, I don't think he'll be sharing that info either. By the way, this part in the summary is particularly troubling: "Jani found he could alter code on Instagram's servers and force-delete users' posts." He could alter code on the servers? I kind of hope it was just journalists misrepresenting the truth, and it was just a simple case of the URL parameters not being sanitized correctly or something. I takes a special degree of fuckupness to allow rewriting of code on the server.

  13. Lol, even kids hack it by Anonymous Coward · · Score: 1

    Sadly after Finnish taxes that's more like $4000...

    Also is int that bit embarrassing for big tech company that even kid can literally hack it?

  14. That's the reason for these programs in the first by waspleg · · Score: 2, Interesting

    place - that they don't have to hire anyone. It's another form of temp worker program. They don't owe benefits don't owe pension or 401k matching nor do they even have the possibility of being sued despite the kid being too young to work basically anywhere.

    How much would they have paid a professional security firm or on staff IT to audit them and get this result?

  15. Re: Simple question by Anonymous Coward · · Score: 1

    You know that cows guy? After like 10 years of reading this site, I think it finally hit me - you're all fucking cows! No human would argue such ridiculous shit on the Internet when they have much better human things to do.

  16. What happens under TPP? by Anonymous Coward · · Score: 1

    Would this kind of activity become illegal under TPP? Not just this particular example, but Facebook's bounty program in general? If the kid is from a country that refuses to sign TPP, could he still be prosecuted?

    1. Re:What happens under TPP? by Joe_Dragon · · Score: 1

      under the TPP they can say that 10K year is a good wage and that the US min wage is to high under a investor state dispute

  17. Re:Simple question by Wovel · · Score: 2

    Pro tip. Create an account and log in to post. For many (perhaps most or even all) people, posts by ACs start at -1. This is sensible since most AC posts are completely worthless. Since there is really nothing in your post to suggest it should be significantly modded up, you are likely stuck in that hole.

  18. funny by Anonymous Coward · · Score: 1

    how they pay some while deny others

  19. Re:Simple question by TheRaven64 · · Score: 1

    Do you use Facebook? If so, you're entrusting data to a system written by people who write code that a 10-year-old can compromise.

    --
    I am TheRaven on Soylent News
  20. Only $10,000? by twmcneil · · Score: 2

    Cheap Bastards.

    --
    "The ferrets, they're every where I tell you!"
    1. Re: Only $10,000? by jmcvetta · · Score: 1

      What do you expect from a VC-backed company? The big bucks are for people with the right family connections, not for lowly plebs like this kid.

  21. He should have taken an alarm clock apart by wyattstorch516 · · Score: 1

    Then put the innards into a suitcase. That would have gotten him a scholarship offer from MIT and an invitation to the White House.