Teenager finds bugs in Google, Facebook, Apple, Microsoft code

Teenager finds bugs in Google, Facebook, Apple, Microsoft code
Published: 03 February 2012 (1529 Views)
When he's not at school, 15-year-old Cim Stordal spends his time playing the Team Fortress video game, shooting his Airsoft pellet gun, and working in a fish shop in Bergen, Norway. But his real passion is finding bugs in software used by millions of people on the Internet.

Stordal has made the Google Security Hall of Fame, been credited with disclosing a cross-site scripting bug to Apple, been thanked by Microsoft for disclosing a vulnerability to the company, and received an elite White Hat Visa card from Facebook with $500 credit on it.

"I got a card for a self-persistent XSS [cross-site scripting flaw] at Facebook, and a nonpersistent XSS at Google, Microsoft, and Apple," he said in a recent Skype interview with CNET. (As a "self-persistent" issue, the bug Stordal disclosed was not exploitable by a third-party because it required a user to take an action to be at risk, according to Facebook.)

"I just look around at the site and find out where I can input HTML and stuff and it's not filtered in the source code. Often they filter some characters but forget some or they totally forget that input," he said. "What an attacker wants is often the cookie, which can be used to log-in as the user."

Stordal says of the sites he poked around in, Apple was the easiest to find a flaw in. "I found the Facebook [hole] after four days and the Google one after three, but Apple took me only five minutes" to find two XSS flaws, he said. (Apple representatives did not respond to a request seeking comment.)


Cim Stordal shows off the White Hat Visa card he received for disclosing a vulnerability to Facebook.
(Credit: Cim Stordal)

The companies appreciate his efforts, particularly because he tells them before going public with any of the details. "Everyone was happy about it and fixed the flaws kind of fast."

Stordal started looking for vulnerabilities in software when he was 14 years old. "I have always loved being on the PC and I already was programming some C++," he said. "So I wanted to do something new and I searched around and learned Basic."

His friends are impressed with his skills and lean on him to help keep their Web sites secure. His parents aren't really sure what to make of his research.

"They think it's kind of cool, I guess, as they don't understand what I do," he said. "But they also don't want me to stay on the computer all day."

His next move is looking for vulnerabilities on mobile devices. He's trying to set up a fuzzer (automated software testing tool) on his iPhone 3GS.

- news.cnet.com

 0

You May Like These Videos

Comments

There are no comments.

Latest stories

Don't vote for Mnangagwa

by Staff reporter | 16 July 2018 | 160 Views

Govt justifies shortage of hospitals in Matebeleland

by Staff reporter | 16 July 2018 | 93 Views

Chiwenga recounts role he played in Mnangagwa's escape

by Staff reporter | 16 July 2018 | 140 Views

Concerns over Zimbabwe elections grow

by Staff reporter | 16 July 2018 | 142 Views

Zimbabwe ranked lowest on income equality

by Staff reporter | 16 July 2018 | 108 Views

Chigumba must talk to Chamisa

by Staff reporter | 16 July 2018 | 114 Views

Soldier shoots children over sex

by Staff reporter | 16 July 2018 | 113 Views

Prophet Makandiwa 'mansion' up for auction

by Staff reporter | 16 July 2018 | 118 Views

Biti, Chamisa need not cross the red line

by Staff reporter | 16 July 2018 | 111 Views

Chamisa's supporters freed

by Staff reporter | 16 July 2018 | 92 Views

Mnanganwa's Authoritarian Elections

by Dr Gus Manatsa | 16 July 2018 | 115 Views

Chigumba reminds me of Tobaiwa Mudede

by Dr. Gus Manatsa | 16 July 2018 | 105 Views

Govt realigns Air Zimbabwe, Zimbabwe Airways

by Staff reporter | 16 July 2018 | 128 Views

Chamisa's rally blessed by rain

by Staff reporter | 16 July 2018 | 190 Views

Beitbridge upgrade to speed up border efficiency

by Staff reporter | 16 July 2018 | 110 Views

Law Society wins tax exemption case

by Staff reporter | 16 July 2018 | 109 Views

Lawyer sues over SMS campaign

by Staff reporter | 16 July 2018 | 117 Views

Mugabe's planes ready to fly

by Staff reporter | 16 July 2018 | 150 Views

UK stockbroker to woo FDI to Zimbabwe

by Staff reporter | 16 July 2018 | 109 Views

MDC-Alliance threatens to expel defiant members

by Staff reporter | 16 July 2018 | 121 Views

Blair toilets banned

by Staff reporter | 16 July 2018 | 157 Views

Chamisa, prepare for defeat in a dignified manner

by Isdore Guvamombe | 16 July 2018 | 182 Views

Biti anoints himselves custodian of all Ndebele memory

by Reason Wafawarova | 16 July 2018 | 125 Views

Council threatens legal action over bills

by Staff reporter | 16 July 2018 | 97 Views

Matebeleland people should stop crying about marginalisation

by Staff reporter | 16 July 2018 | 75 Views

Zimbabwe trade deficit reaches $1,3 billion

by Staff reporter | 16 July 2018 | 87 Views

1 family, 5 dead in an accident

by Staff reporter | 16 July 2018 | 119 Views

One week no water for Bulawayo suburbs

by Staff reporter | 16 July 2018 | 87 Views

Miracle baby survives winter dumping

by Staff reporter | 16 July 2018 | 116 Views

MDC Alliance remains talk show as clock ticks

by Isdore Guvamombe | 16 July 2018 | 94 Views

4 000 school drop outs!

by Staff reporter | 16 July 2018 | 94 Views

Khupe slams parties threatening to boycott polls

by Staff reporter | 16 July 2018 | 126 Views

Postal votes remain valid, says Zec

by Staff reporter | 16 July 2018 | 83 Views

Lovers drag cops to maintenance courts

by Staff reporter | 16 July 2018 | 75 Views

Mnangagwa off to Mashonaland West

by Staff reporter | 16 July 2018 | 65 Views