A hacker from Finland has become the youngest ever person to win a 'bug bounty' from Facebook for uncovering a security flaw.
Ten year old cyber security prodigy Jani – his parents declined to dislose his full name – has at least three years until he can legally join the social network, but found a flaw in the Facebook-owned Instagram platform, earning him $10,000 in rewards.
He found and reported a flaw in Instagram's API which is supposed to check if someone has the authority to delete a comment before communicating the request with the server.
'I would have been able to delete anyone's comments, even Justin Bieber,' the boy told Finnish newspaper Iltalehti.
Although it's not clear how they discovered the vulnerability, Jani and his twin brother said they learned about cyber security watching YouTube videos. When asked if he would like to become a security expert, Jani told Iltalehti: 'it would be my dream job. Security is really important.'
He could have forfitted his reward, but because Jani's hack did not require him to sign in or create an Instagram account, he hasn't violated the site's terms and conditions that users must be at least 13 years old.
The bounty is in the upper scale of those biggest received by Facebook bug hunters, although the single largest bounty so far has been $20,000. Facebook says the size of the reward depends not on the complexity of the vulnerability but on its potential impact and number of users it could affect. The bug discovered by Jani would have potentially exposed all of Instagram's 400 million users – including Justin Bieber.
What does Jani plan to do with his newly acquired pocket money? Like any normal ten year old boy, he said he wants to spend his money on football equipment, a new bike and new computers for himself and his brother so they can continue to get ahead in their burgeoning cyber security careers.
Jani may have come clean about his discovery but not all hacker prodigies have used their powers for good – in 2013 a 12 year old Canadian became the youngest convinced hacker after pleading guilty to causing over $60,000 in damages to government and state organisations through DDoS attacks and website vandalism, trading Anonymous information for pirated video games.
And last year, a 15 year old schoolboy in Northern Ireland was arrested for his involvement in one of the largest corporate data breaches in history which saw 157,000 customers' details exposed.