You have to be at least 13 years old to have an account on Instagram, but this didn’t stop one 10-year-old Finnish boy from exposing a vulnerability in the Facebook-owned photo-sharing application and winning $10,000 for his work.
Helsinki-based Jani (his parents didn’t reveal his last name) discovered that he could erase any written content on Instagram by altering code on its servers. Facebook told Forbes that he verified this by deleting a comment the company posted on a test account.
The Facebook spokesperson added that the problem came from a private application program interface not properly checking that the person deleting the comment was the same one who posted it.
“I tested whether the comments section of Instagram can handle harmful code. Turns out it can’t. I noticed that I can delete other people’s comments from there,” Jani told Helskini-based newspaper Iltalehti. “I could have deleted anyone’s – like Justin Bieber’s for example.”
Facebook’s bug bounty program rewards people who identify and report security issues. In the five years since it launched, it has paid $4.3 million to more than 800 researchers for over 2400 submissions. Instagram was added to the program in 2014.
Payouts vary based on the level of risk a bug poses. Considering the average reward last year was only $1780, Jani’s $10,000 shows that Facebook regarded it as a fairly high-level threat.
Jani, who learned his skills by watching YouTube instructional videos, is now the youngest person to receive a reward from the program, beating the record set by a 13-year-old back in 2013. He said he plans to buy a football and new bicycle with some of the money.