
Facebook rewarded a 10-year-old for finding Instagram security flaw - vvvv
http://www.theverge.com/tech/2016/5/3/11579972/facebook-10-year-old-hacking-instagram-security-bug-10k
======
Zeimyth
It makes me happy to see people who find and report bugs rather than hiding
and exploiting them. I'm sure the monetary incentive doesn't hurt, either.

~~~
pgrote
Agreed.

Still, I don't understand why more people don't sell the exploits to the
highest bidder. It seems counter intuitive to me.

Maybe there are more people who sell the exploits and you just don't hear
about it as much as people who submit them to the corporations before
publicizing them.

~~~
tptacek
I know, right? $10,000! Facebook is worth billions! Think what the black
market might pay for a bug that would delete any Instagram comment!

~~~
nthitz
Previous commenters on HN have thought differently
[https://news.ycombinator.com/item?id=10795785](https://news.ycombinator.com/item?id=10795785)
;)

~~~
wglb
It is the same commentator. It appears in this most recent comment he
neglected to add a sarcasm indicator.

~~~
nthitz
you missed the ;) at the end of my message :D

~~~
wglb
Indeed I did.

------
danjoc
$10,000? Not to diminish what this child did in any way, but that is 4x what
the person received who obtained access to

Static site content

Source code

SSL key pairs

iOS and Android app signing keys

iOS push notification keys

Email server credentials

Twitter, Facebook, Tumblr, Foursquare, and Flickr API keys

[http://exfiltrated.com/research-Instagram-
RCE.php](http://exfiltrated.com/research-Instagram-RCE.php)

~~~
onewaystreet
Because he broke the rules: [https://www.facebook.com/notes/alex-stamos/bug-
bounty-ethics...](https://www.facebook.com/notes/alex-stamos/bug-bounty-
ethics/10153799951452929)

~~~
danjoc
I believe that particular opinion has been discussed to death here before, so
I won't address it.

The point I was trying to make is the market value seems wildly different from
what Facebook pays out. The pricing gives me the impression that Facebook's
bug bounty program is more concerned with public relations than it is about
improving Facebook security.

------
pbhjpbhj
Do Facebook face some sort of liability under COPPA for allowing [condoning?]
this under 13 yo - I'm presuming without verifiable parental consent prior to
use - to use their services?

Perhaps the time for Facebook to fight COPPA (for better or worse) is coming
soon?

~~~
envy2
In this case, seeing as COPPA is a US law and the kid in question is from
Finland (and thus likely under Facebook's EU subsidiary), I'm guessing not.

~~~
pbhjpbhj
Anticipating this objection I looked at some COPPA info briefly (I'm in the
UK, in not that familiar with USCs) and it suggested that the jurisdiction was
based on location of the controlling company or the servers (either being
sufficient) and not location of the children accessing the service. That makes
sense as otherwise company's could just use offshore servers and bypass the
regulation.

------
ck2
Trying to remember that other incident, not with facebook, maybe microsoft,
where it was a teenager and they wouldn't pay them because they weren't 18+

So good on Facebook (this once).

ETA: it was paypal
[http://seclists.org/fulldisclosure/2013/May/163](http://seclists.org/fulldisclosure/2013/May/163)

------
Asparagirl
Meanwhile, Apple remains one of the only big tech companies to _not_ have a
bug bounty program.

~~~
mrep
You've forgotten the biggest of them all: Amazon [1].

[1]: I consider them the biggest of them all considering how much of the web
is powered by AWS (just imagine if you found an exploit to give you full
access to all of AWS), but that's just my opinion.

------
blazespin
lol: "In 2015 alone, 210 researchers received $936,000 with an average payout
of $1,780."

~~~
teraflop
Maybe they mean "average per vulnerability", not "average per person".

------
satyajeet23
Damn, facebook paid for a warm fuzzy PR moment.

The bug is worth $100.

------
topbru
Any details on how it worked?

~~~
ssclafani
"The problem lay in a private application programming interface (the slice of
code allowing certain outside access) that wasn’t properly checking the person
deleting the comment was the same one who posted it, the spokesperson added."

[http://www.forbes.com/sites/thomasbrewster/2016/05/03/facebo...](http://www.forbes.com/sites/thomasbrewster/2016/05/03/facebook-10-year-
old-10k-instagram-vulnerability/)

~~~
randyrand
I'm hoping the bug was a little more complicated than just "we forgot to
check." That's a pretty dumb mistake to make...

~~~
balls187
Do you see how the PS3 security system was thwarted?[1]

1: [http://www.engadget.com/2010/12/29/hackers-obtain-
ps3-privat...](http://www.engadget.com/2010/12/29/hackers-obtain-ps3-private-
cryptography-key-due-to-epic-programm/)

~~~
randyrand
Yes, dumb mistakes happen often, but that doesn't make them not dumb.

------
tpallarino
That's awesome. Good for this kid.

------
ldom22
jesus when I was 10 years old I was barely programming on actionscript, which
is now dead. Now at 28 I can't even make that kind of money in an entire year

------
altoz
Anyone else see this headline and thought, "Some government gave them a
10-year-old?"

~~~
ssorallen
Haha yes, that's exactly how I interpreted it. Removing the "with $10,000"
from the actual headline made this a bit ambiguous.

~~~
jonah
A ten year old with $10,000. ;) That's more money than most kids that age have
to their name.

~~~
eric_h
In straight cash USD, that's more money than most people in the world have to
their name.

[Edit: straight cash == completely liquid assets]

~~~
jonah
Agreed. Even most USians.

(I was just playing on the idea of FB getting a kid and saying getting one
w/cash was even better!)

------
azinman2
Payed out to over 800 researchers? Wow that's a lot of security bugs. I
wouldn't have guessed so many were possible. Imagine if they didn't have such
a program!

------
porter
Awesome kid, but how was this risk only worth $10k to facebook? Needs a few
more zeros behind it.

~~~
porter
no idea why this is getting downvoted.

~~~
tptacek
Because it's an extraordinarily silly comment. If Facebook hadn't paid $10,000
for this bug, the next bidder in line would have been unlikely to pay more
than $50.

~~~
dfc
Vickrey auctions to the rescue.

