Facebook rewarded $10,000 to an Instagram user that found an error on the photo-sharing website. A Finnish boy known only as “Jani,” for privacy protection reasons, found a bug in the Instagram website’s coding that allows a user to delete another user’s comments. According to Pix 11, 10-year-old Jani is the youngest recipient of a reward from Facebook.
Finnish newspaper Iltalehti states that the boy “plans to spend his money on a bike and a soccer ball,” said Pix 11.
According to Instagram’s user agreement, Jani is not even old enough to have his own Instagram account. However, Jani can rest easy about that technicality now. In March, he received his Facebook reward. Instagram users can also relax as the error was fixed back in February.
CNN Money reports that according to a Facebook spokesperson, “It is not uncommon for teenagers to submit reports to the program,” but a 10-year-old is something new.
This bug is not one that just any casual user could have found. The Mercury News notes that the boy claims to have been able to use an injection attack to delete the comments on Justin Bieber’s account. An injection attack is when a programmer or hacker uses code (often SQL) within an entry field or form, which executes when the form is submitted. So, despite his age, Jani knew what he was doing.
When asked about becoming a full-time security researcher, IT Pro quoted the young man as saying, “It would be my dream job. Security is very important.”
RELATED REPORTS BY THE INQUISITR
While SQL injection is a pretty standard method of attack, occasionally designers fail to account for it. If the backend of a website does not protect against it, the code in the entry field can be executed on the server. The chances are that if the boy could use SQL code to delete comments through injection, it is very likely that a more malicious and sophisticated hacker could use SQL commands to do other things, such as query data and personal user information. So the $10,000 reward potentially saved Facebook and Instagram millions of dollars in averted cost that could have arisen from an actual attack.
Since establishing its bug-finding rewards program, Facebook has paid over 800 users more than $4.3 million in cash awards. That is an average of about $5,400 per reward, so Jani got paid at the top end of the scale.
Facebook is not the first, nor is it the only website to offer incentives to users for finding errors and exploits. According to the company Bugcrowd, over 100 companies offer bounties for finding bugs. These prizes range from simple recognition with the finder’s name on a “Hall of Fame” list to swag or monetary rewards. A few of the more well-known companies that have implemented such programs are AT&T, Google, Microsoft, and PayPal.
Bug bounties are becoming big business with companies like Bugcrowd, which uses crowdsourcing to provide testing services to a variety of firms. Bugcrowd charges companies a fee to crowdsource testing projects for them. They provide the companies with advice on establishing bounty rates and testing cycles. They also provide a place for bug bounty hunters to obtain jobs on a regular basis. When the company submits a project, Bugcrowd releases it to a crowd of researchers located all over the world. Bugcrowd acts as an administrator for a company’s bug bounty program. Other companies like Github are beginning to cash in on the industry as well.
Bug bounties may not be a new way for large IT companies to obtain security testing services, but it is a new developing industry that has not received much attention. Facebook rewards to users for finding bugs is getting a lot of press now thanks to 10-year-old Jani, but in the future, bug bounties may become as common a career option as in-house software testing was in the ’80s.
[Photo by Justin Sullivan/Getty Images]