The flaw Jani exposed gave him the power to erase anyone’s comments, even those posted by “Justin Bieber,” he told Iltalehti, the news outlet in Finland that first reported Jani’s exploits. He left Bieber alone, however, tipping off Facebook instead. Facebook says it fixed the flaw in February.
Facebook compensated the young Finn — or, more accurately, his parents on Jani’s behalf — to the tune of $10,000. Jani sets a new hacking record as the youngest bug bounty hunter recognized by Facebook; previously that title belonged to a 13-year-old. (With the loot he scored from Facebook, Jani plans to buy exactly what a 10-year-old with a 10-grand windfall would dream of: soccer gear, a new bike and computers for himself and his twin brother.)
This reward puts Jani in the upper tier of hackers Facebook has paid for finding bugs. Since the company launched its bounty program in 2011, Facebook says it has paid out about $4.3 million to more than 800 researchers.
Melanie Ensign, a security representative at Facebook, told The Washington Post by phone early Wednesday that most of those payouts are much smaller amounts. The reported $1,780 average reward skews high, she said, with a cluster of very large payouts obscuring the typical sum.
“We base our bounties on the scope of the risk, rather than the novelty or sophistication,” Ensign said. The flaw that Jani found “would have impacted everybody on Instagram.”
It’s not clear how Jani discovered the vulnerability. Iltalehti reports that Jani and his brother had a habit of watching videos about computer security on YouTube. The bug was an issue with Instagram’s application program interface, or API — how the app communicates with a server. If you want to erase a remark from Instagram, the API checks that you have the authority to delete the comment.
“That checking process wasn’t working properly,” Ensign said. “You’re only supposed to be able to delete comments that you own.”
After Jani told Facebook about the problem, the company created a test Instagram account and posted a comment. All right, Facebook told him, go delete the comment. So he did.
To hear Ensign say it, Jani’s approach was completely ethical — the 10-year-old hacker had neither ulterior motive nor a Guy Fawkes mask. He hasn’t even violated Instagram’s terms and conditions, which require that users must be at least 13 years old. (Jani’s hack did not require him to sign in or even create an account.) If he had made an account, Ensign said, he may have forfeited his claim for a reward. In the past, Facebook has denied rewards to hackers who found flaws but committed other violations, perhaps most famously snubbing the Palestinian computer researcher who commandeered Mark Zuckerberg’s personal page.
Jani hopes to parlay his early prowess into a career in computer security, telling Iltalehti that this would be his “unelma-ammatti” — dream job.