Jani — the ten-year-old from Helsinki who made international news by earning Instagram’s top bug bounty prize for uncovering a security flaw in the photo-sharing site — was born a couple a years after Facebook was invented in 2004 and just four years before Instagram went online in 2010. And he’s already made some history.
Jani discovered a flaw in the site that would have allowed him — or anyone — to delete content from any user from the site, even stars with tens of millions of followers including Taylor Swift, Selena Gomez and Beyonce. Like any good white-hat hacker he didn’t take advantage of the vulnerability. Instead, he reported the bug to Facebook, which now owns the app, directly.
His maturity paid off. Even though he is not technically old enough to use the site according Instagram’s terms and conditions, he’s become the youngest person ever to win a $10,000 bug bounty, which he’s used to purchase a soccer ball, a bike and other essential gear for being ten.
To celebrate his feat, F-Secure Labs invited Jani to visit our headquarters for a hamburger and a tour. The visit gave our experts a chance to share their stories about how they were drawn to cybersecurity.
Mikko learned to love computers from his mother who was in the industry. Päivi was guided into the field by her father and discovered that she has a passion for rooting out spam. When Tomi was a kid striving to learn the rules of the coin games his friends played so he could hack them and win, he recognized that he didn’t see the world like everyone else.
Jani has already discovered the same thing. Though he finds plenty of time for school and playing with his friends, he spends 2-3 hours during his off days hunting for vulnerabilities and looking out for new bug bounty programs — like our own — that allow him to test his skills.
How did he find the vulnerability in Instagram? First he created two accounts. He posted a comment using one account and then just using the publicly available content id number he was able to delete the comment using the other. Immediately he recognized the potential for such a flaw to be exploited.
Mikko and Tomi were impressed by how Jani used Linux and Burp Suite — a tool that pros like the analysts in our Labs use to analyze network traffic — to help identify the bug.
While he used to be interested in a career in video games, Jani says he’s now thinking about becoming a cybersecurity specialist.
Mikko and Tomi advised him to finish school and stay on the right side of the law. They also invited him to spend a week or two working at the Labs to see how he likes the job, when he’s old enough.
He’s planning on taking them up on the offer, saying that F-Secure looks like a “fun and cool” place to work. Nice. We’re always looking for new talent and even Mikko may retire one day.