Teenager finds bugs in Google, Facebook, Apple, Microsoft code

Teenager finds bugs in Google, Facebook, Apple, Microsoft code
Published: 03 February 2012 (1551 Views)
When he's not at school, 15-year-old Cim Stordal spends his time playing the Team Fortress video game, shooting his Airsoft pellet gun, and working in a fish shop in Bergen, Norway. But his real passion is finding bugs in software used by millions of people on the Internet.

Stordal has made the Google Security Hall of Fame, been credited with disclosing a cross-site scripting bug to Apple, been thanked by Microsoft for disclosing a vulnerability to the company, and received an elite White Hat Visa card from Facebook with $500 credit on it.

"I got a card for a self-persistent XSS [cross-site scripting flaw] at Facebook, and a nonpersistent XSS at Google, Microsoft, and Apple," he said in a recent Skype interview with CNET. (As a "self-persistent" issue, the bug Stordal disclosed was not exploitable by a third-party because it required a user to take an action to be at risk, according to Facebook.)

"I just look around at the site and find out where I can input HTML and stuff and it's not filtered in the source code. Often they filter some characters but forget some or they totally forget that input," he said. "What an attacker wants is often the cookie, which can be used to log-in as the user."

Stordal says of the sites he poked around in, Apple was the easiest to find a flaw in. "I found the Facebook [hole] after four days and the Google one after three, but Apple took me only five minutes" to find two XSS flaws, he said. (Apple representatives did not respond to a request seeking comment.)


Cim Stordal shows off the White Hat Visa card he received for disclosing a vulnerability to Facebook.
(Credit: Cim Stordal)

The companies appreciate his efforts, particularly because he tells them before going public with any of the details. "Everyone was happy about it and fixed the flaws kind of fast."

Stordal started looking for vulnerabilities in software when he was 14 years old. "I have always loved being on the PC and I already was programming some C++," he said. "So I wanted to do something new and I searched around and learned Basic."

His friends are impressed with his skills and lean on him to help keep their Web sites secure. His parents aren't really sure what to make of his research.

"They think it's kind of cool, I guess, as they don't understand what I do," he said. "But they also don't want me to stay on the computer all day."

His next move is looking for vulnerabilities on mobile devices. He's trying to set up a fuzzer (automated software testing tool) on his iPhone 3GS.

- news.cnet.com

 0

You May Like These Videos

Comments

There are no comments.

Latest stories

Man loses 'Toyota Raum' to robbers

by Simbarashe Sithole | 21 September 2018 | 166 Views

International media stampede to interview Mnangagwa

by Staff Reporter | 21 September 2018 | 211 Views

Brutalising vendors must stop

by Jacob Mafume, MDC National Spokesperson | 21 September 2018 | 162 Views

I doubt if Dabengwa really endorsed Mnangagwa - Mthwakazi activist

by Stephen Jakes | 21 September 2018 | 179 Views

Marc Cayeux gives everyone hope after top ten finish in Cape Town

by Agencies | 21 September 2018 | 105 Views

President Mnangagwa debuts at UNGA

by Bevan Musoko | 21 September 2018 | 156 Views

BREAKING: Harare - Johannesburg Intercape bus in accident, 10 people dead

by Staff reporter | 21 September 2018 | 317 Views

Stop unnecessary traveling to cholera affected areas - MIHR

by Stephen Jakes | 21 September 2018 | 121 Views

We need Mthwakazi restoration soon

by Stephen Jakes | 21 September 2018 | 116 Views

Rural development agenda should be on the priority list

by Stephen Jakes | 21 September 2018 | 116 Views

IMF offers to help Zimbabwe clear arrears

by Staff reporter | 21 September 2018 | 232 Views

Mugabe's party rejoins Mnangagwa's Zanu-PF

by Staff reporter | 21 September 2018 | 237 Views

Streak seeks ZC liquidation

by Staff reporter | 21 September 2018 | 140 Views

'Chamisa must not waste time fighting Mnangagwa'

by Staff reporter | 21 September 2018 | 246 Views

Chipanga appeal thrown out

by Staff reporter | 21 September 2018 | 176 Views

New minister cracks the whip

by Staff reporter | 21 September 2018 | 173 Views

Deal decisively with Parly delinquents

by Zvamaida Murwira | 21 September 2018 | 142 Views

Mthuli Ncube faces tough choices

by Lovemore Chikova | 21 September 2018 | 164 Views

Currency reform answer to Zimbabwe's economic woes

by Bongani Ngwenya | 21 September 2018 | 150 Views

Dabengwa ditches Chamisa, endorses Mnangagwa?

by Staff reporter | 21 September 2018 | 156 Views

Sibusiso Moyo alive & well

by Staff reporter | 21 September 2018 | 140 Views

'Mugabe University not a priority'

by Staff reporter | 21 September 2018 | 133 Views

Chamisa battles open rebellion

by Staff reporter | 21 September 2018 | 161 Views

Prophet up for pregnant woman rape

by Staff reporter | 21 September 2018 | 101 Views

Bulawayo pins hopes on devolution

by Staff reporter | 21 September 2018 | 91 Views

Nust shut down

by Staff reporter | 21 September 2018 | 145 Views

Zimbabweans want US or Zim dollar only, not SA Rand

by Staff reporter | 21 September 2018 | 145 Views

Chamisa's MDC Alliance starts merging into single party

by Staff reporter | 21 September 2018 | 94 Views

Vic Falls man hangs self after bar brawl

by Staff reporter | 21 September 2018 | 82 Views

Cholera hits Beitbridge

by Staff reporter | 21 September 2018 | 81 Views

Cop up for assault

by Staff reporter | 21 September 2018 | 52 Views

Gumbura hires Madhuku to challenge delayed trial

by Staff reporter | 21 September 2018 | 66 Views

Devolution will develop provinces with natural resources

by Staff reporter | 21 September 2018 | 55 Views

Family evicted, dumped in the bush

by Staff reporter | 21 September 2018 | 48 Views

Soul Brothers coming to Bulawayo

by Staff reporter | 21 September 2018 | 105 Views

Zimbabwean scientist wins Cambridge scholarship

by Staff reporter | 21 September 2018 | 54 Views

MDC Alliance activist jailed over arson threats

by Staff reporter | 21 September 2018 | 41 Views