Facebook rewards child hacker with $10K bounty

A 10-year-old hacker in Finland found and reported a security flaw on Instagram, for which he was handsomely rewarded.

A 10-year-old Finnish boy snagged $10,000 from Facebook for finding and reporting a security flaw he discovered on its photo- and video-sharing service Instagram. Given that the young hacker is three years shy of the age required to open an account on Facebook, he can’t even share the good news.

Jani, whose parents have asked media to withhold his last name, found a way to delete comments posted under images on other people’s accounts on Instagram. He said that he could delete anyone’s comments, even those of pop star Justin Bieber (though he didn’t), he told Finnish newspapers. 

The problem, which Facebook fixed in February, was with Instagram’s API, or application program interface, a way for developers to use Instagram data to incorporate its features into their apps. Instagram’s API is supposed to confirm that a user has the authority to delete a comment.

“That checking process wasn’t working properly,” Melanie Ensign, a security representative at Facebook, explained to The Washington Post. “You’re only supposed to be able to delete comments that you own,” she said.

It’s not unusual for Facebook, Google, Twitter, Yahoo, Microsoft, and others to court hackers with so-called bounties to help their internal teams identify and fix potential security problems – and to deter hackers from selling information about vulnerabilities to criminals or spy agencies.

Jani is among about 800 hackers who collectively have earned $4.3 million since 2011 through Facebook’s bounty program. A typical bounty is $1,780, though that’s skewed high by several huge rewards, according to The Post.

The Finn is also the youngest Facebook hacker, beating out a 13-year-old for the title, and one of the highest paid by the company.

But there have been younger hackers. The youngest appears to be Kristoffer Von Hassel from San Diego, Calif., who discovered a security flaw on the online gaming service Xbox Live in 2014, when he was five. As a reward for his discovery, Kristoffer got four video games, $50, and a year-long subscription to Xbox Live from Microsoft. 

“I was like...yeah!” the youngster told CNN affiliate KVTV-10.

Not all young hackers take the noble route and report the flaws they uncover. In October a high-school student motivated by his dislike for US foreign policy broke into the e-mails of CIA Director John Brennan and posted some of their contents on Twitter.

He was arrested by British authorities in February, reported CBS News.

There's a way to help tech-savvy kids develop their skills, while discouraging them from using them to do harm. Parents of young hackers should embrace their talent and foster it, some say, while trying to steer the kids towards hacking for good.

“Hacker kids are not like other kids,” Sabino Marquez, an information risk strategist, told The Christian Science Monitor recently. “You really have to cater to their sense of curiosity while simultaneously instilling iron-clad ethics to ensure that they do no evil,” he said.