Teenager finds bugs in Google, Facebook, Apple, Microsoft code

Teenager finds bugs in Google, Facebook, Apple, Microsoft code
Published: 03 February 2012 (1656 Views)
When he's not at school, 15-year-old Cim Stordal spends his time playing the Team Fortress video game, shooting his Airsoft pellet gun, and working in a fish shop in Bergen, Norway. But his real passion is finding bugs in software used by millions of people on the Internet.

Stordal has made the Google Security Hall of Fame, been credited with disclosing a cross-site scripting bug to Apple, been thanked by Microsoft for disclosing a vulnerability to the company, and received an elite White Hat Visa card from Facebook with $500 credit on it.

"I got a card for a self-persistent XSS [cross-site scripting flaw] at Facebook, and a nonpersistent XSS at Google, Microsoft, and Apple," he said in a recent Skype interview with CNET. (As a "self-persistent" issue, the bug Stordal disclosed was not exploitable by a third-party because it required a user to take an action to be at risk, according to Facebook.)

"I just look around at the site and find out where I can input HTML and stuff and it's not filtered in the source code. Often they filter some characters but forget some or they totally forget that input," he said. "What an attacker wants is often the cookie, which can be used to log-in as the user."

Stordal says of the sites he poked around in, Apple was the easiest to find a flaw in. "I found the Facebook [hole] after four days and the Google one after three, but Apple took me only five minutes" to find two XSS flaws, he said. (Apple representatives did not respond to a request seeking comment.)


Cim Stordal shows off the White Hat Visa card he received for disclosing a vulnerability to Facebook.
(Credit: Cim Stordal)

The companies appreciate his efforts, particularly because he tells them before going public with any of the details. "Everyone was happy about it and fixed the flaws kind of fast."

Stordal started looking for vulnerabilities in software when he was 14 years old. "I have always loved being on the PC and I already was programming some C++," he said. "So I wanted to do something new and I searched around and learned Basic."

His friends are impressed with his skills and lean on him to help keep their Web sites secure. His parents aren't really sure what to make of his research.

"They think it's kind of cool, I guess, as they don't understand what I do," he said. "But they also don't want me to stay on the computer all day."

His next move is looking for vulnerabilities on mobile devices. He's trying to set up a fuzzer (automated software testing tool) on his iPhone 3GS.

- news.cnet.com

 0

You May Like These Videos

Comments

There are no comments.

Latest stories

Zimbabwe lost $2 billion on 1:1 forex exchange rate

by Staff reporter | 22 February 2019 | 108 Views

MDC National Council Resolutions

by MDC | 22 February 2019 | 98 Views

'Propaganda' college for Chamisa's MDC

by Ndou Paul | 22 February 2019 | 105 Views

Mnagagwa is a habitual liar

by Don Chigumba | 22 February 2019 | 104 Views

Chiwenga aborts flight to Zimbabwe

by newzimbawe | 22 February 2019 | 132 Views

Grace Mugabe sister's fraud trial hits a snag?

by newzimbabwe | 22 February 2019 | 83 Views

Callistus Ndlovu's body arrives in Harare

by Staff reporter | 22 February 2019 | 82 Views

Baby mama threatens to bewitch ex's wife

by Staff reporter | 22 February 2019 | 84 Views

Dating scam exposed

by Staff reporter | 22 February 2019 | 101 Views

Cholera vaccine campaign begins in Harare

by Staff reporter | 22 February 2019 | 78 Views

American starlet trialing with Bosso

by Staff reporter | 22 February 2019 | 66 Views

Zimbabwe approves 37 mbanje investors

by Staff reporter | 22 February 2019 | 87 Views

'Technology changing face of epidemic'

by Staff reporter | 22 February 2019 | 69 Views

Bosso zero in on three for captaincy

by Staff reporter | 22 February 2019 | 72 Views

Two stabbed, axed in gold rush

by Staff reporter | 22 February 2019 | 85 Views

Bulawayo takes deliberate affirmative action policy

by Staff reporter | 22 February 2019 | 77 Views

Woman arrested for obscene message to lover's wife

by Staff reporter | 22 February 2019 | 78 Views

MDC Alliance members run away with ballot papers

by Staff reporter | 22 February 2019 | 77 Views

Zimbabwe/South Africa officials to meet ahead of Ramaphosa visit

by Staff reporter | 22 February 2019 | 53 Views

Mnangagwa courts Chinese

by Staff reporter | 22 February 2019 | 35 Views

Caps United avert player strike over unpaid dues

by Staff reporter | 22 February 2019 | 36 Views

Fake news rocks Zimbabwe military

by Staff reporter | 22 February 2019 | 41 Views

Ginimbi to 'tour' Australia

by Staff reporter | 22 February 2019 | 39 Views

'Chamisa, Mnangagwa power-sharing not on the agenda'

by Staff reporter | 22 February 2019 | 79 Views

Chamisa cries as his political career ends

by Dr Masimba Mavaza | 22 February 2019 | 99 Views

Abusive Zanu-PF councillor sets wife alight

by Staff reporter | 22 February 2019 | 41 Views

MDC-T supports dialogue with Mnangagwa

by Linda Tsungirirai Masarira | 22 February 2019 | 126 Views

Zimnat assists families of deceased miners

by Staff reporter | 22 February 2019 | 84 Views

2 candidates from the MDC Alliance battle it out in Bulawayo by-election

by Staff reporter | 22 February 2019 | 89 Views

Bulawayo City Council loses $300k in botched deal

by Staff reporter | 22 February 2019 | 88 Views

SA Airways suspends advance bookings

by Staff reporter | 22 February 2019 | 96 Views

Mnangagwa sidelines Chamisa in talks

by Staff reporter | 22 February 2019 | 135 Views

'Chiwenga rushes to Zimbabwe after military purges' - it's fake news

by Staff reporter | 22 February 2019 | 105 Views

Zimbabwe moves to set up super-specialist hospital

by Staff reporter | 22 February 2019 | 79 Views