10-Year-Old Claims $10,000 Instagram Bug Bounty

instagram

A 10-year-old has tipped off Facebook about a flaw that made it possible to delete any comment on Instagram. The Finnish boy has earned a $10,000 bounty despite not officially being old enough to have an Instagram account.

While Facebook hasn’t revealed the full details of the  flaw, it has said it was in a private API which had been set up in a way that didn’t properly verify that a user deleting a comment was indeed the one who originally posted it.

The boy, named only as Jani, told local media that he would have been able to delete comments from anyone, “even Justin Bieber.” If that was the case, Jani appears to have been a smart and responsible security researcher by not testing his theory in this way. Instead he proved the flaw by deleting a comment made by Facebook on a test account.

Jani says he’s found several other bugs on websites but this is the first time he’s claimed a cash reward. While his age means the bounty will actually be paid to his parents, he’s already put a football, a new bicycle and computers for both he and his brother on his spending list.

According to Facebook, this beats the record for the youngest ever person to report a bug and earn a reward that was previously held by a 13-year-old. Facebook made the payment this time despite the fact that Jani technically breached the bug bounty program’s rule that researchers must follow its terms of service, including being old enough to use its sites and services.

[Picture source: Jon Lock]