A 10-year-old boy from Finland earned $10,000 after discovering an API bug that allowed him to erase Instagram comments from any account.
Facebook confirmed to Threatpost the boy, who goes by the name “Jani”, discovered the bug in late February and received the payout in early March from Facebook’s Bug Bounty program. Actually, it was the boy’s mom who received the payout, because Jani didn’t have a bank account, Facebook said.
Facebook said it was unaware of the boy’s age until his mother sent Instagram a thank you note expressing gratitude for the $10,000 reward. “The mom said she was thankful her son earned the money from a PC the parents had just given him the previous fall. We had no idea how old he was until the mom told us. That’s when we said, ‘oh my gosh, he’s only 10,'” said a Facebook spokesperson.
First reported by local paper Iltalehti, the Finish news website said Jani planned to spend a portion of the money on soccer gear, a new bike and computers for his brothers. Prior to Jani, Facebook said, the youngest bug bounty payout was paid to a 13-year-old.
“It’s unusual that he is 10, because he isn’t even old enough to use our products,” Facebook said. Jani, Facebook said, was technically not using Instagram because the API bug allowed him to delete comments on Instagram posts without ever having to logon to the service.
Jani had discovered a hole in an Instagram API that granted permission checks confirming a user who created a comment had permission to delete it. That flaw allowed Jani to delete Instagram comments of any user.
Facebook said it is unaware if the bug has ever been exploited in the wild.
Facebook’s Bug Bounty program was launched in 2011 and since then has paid out $4.3 million to more than 800 people. The average Facebook Bug Bounty payout is $1,800, according to the company. That puts Jani in the same class as other elite bug hunters earning $10,000 or more.
In March, Facebook paid $15,000 to an India-based security researcher who found a glaring password-reset vulnerability that allowed him to crack open any of Facebook’s 1.1 billion accounts using a rudimentary brute force password attack. At the time, Facebook said that $15,000 was at the top-end of what bug bounty hunters earn with Facebook.
What’s next for Jani? According to the Iltalehti report, Jani said he wanted to grow up and be a computer security researcher. “”It would be my dream job. Security is very important,” he told Iltalehti.