Facebook-owned Instagram was deemed vulnerable by 10-year-old Jani from Helsinki, who revealed that he could delete comments and descriptions on any Instagram account.
The vulnerability enabled Jani to insert malicious code into the comment section of Instagram, effectively allowing him to delete anything – even profiles – with no authorization from the targeted account.
“I tested if Instagram can withstand malicious code in the comment section,” Jani says. “I found that I can delete other people’s writings from there. I would have been able to eliminate anyone, even Justin Bieber.”
Reporting the bug landed him a bounty of $10,000, even though the program’s terms of service require that reporting security researchers be of legal age.
Although surprised of his own discovery, this was not Jani’s first bug bounty report. He has been actively reporting security vulnerabilities for a while, although this was the first time he was paid. While the average bounty for reported vulnerabilities starts from $500, the $10,000 bounty received by Jani points to the seriousness of the bug.
His father was also surprised by Jani’s security endeavor. Joking that he hoped this was only a childhood phase, he was also impressed at what Jani was able to accomplish.
Facebook researchers were able to quickly plug the vulnerability, preventing anyone from exploiting it in the future. Meanwhile, after receiving his Facebook check, Jani hopes to spend it on a new bike and computer, fueling both his passion for security and biking.