10-Year-Old Finnish Whiz Kid Scores $10,000 Facebook Prize For Hacking Instagram

Watch out, bug hunters, the scope of your competition is expanding to include younger hackers. Take Jani, a 10-year-old living in Finland who discovered a vulnerability in Instagram that allowed him to delete anyone's comments. He proved the flaw to Facebook and was awarded a cool $10,000 for his efforts.

Jani isn't even old enough to use Instagram, but he didn't let that stop him from participating in Facebook's Bug Bounty program. Melanie Ensigtn, a security representative at Facebook, told The Washington Post that Jani's methods were completely ethical and void of any ulterior motives. He didn't even violate Instagram's terms of service, as the hack didn't require that he have an account. Had he created one, he may have been ineligible for a reward.


The vulnerability had to do with Instagram's application program interface (API), and specifically how the app interacts with a server. In order to erase a comment, the API performs a check to see if you have the authority to do so, but there was a bug in the checking process. Jani discovered it, telling Finnish news outlet Iltalehti that he could have even deleted comments posted by Justin Bieber, if he wanted to. Instead he told Facebook, which tasked Jani with proving his method by deleting a comment on a test Instagram account. He did and was handsomely awarded for his effort.

Jani is now the youngest person to have ever received a bug bounty from Facebook, snapping a record that previously belonged to a 13-year-old. The money actually went to Jani's parents, though he has a few items picked out he wants to buy. Jani plans to upgrade his soccer equipment and get a new bike, as well as new computers for him and his twin brother.

Facebook has now paid out around $4.3 million to more than 800 security researchers as part of its bug bounty program. The average payout is $1,780, a figure that Ensign says runs higher than the majority of the payouts because of some larger payments. Jani's payment was comparatively significant because the bug he found applied to the Instagram community at large.