Teenager finds bugs in Google, Facebook, Apple, Microsoft code

Teenager finds bugs in Google, Facebook, Apple, Microsoft code
Published: 03 February 2012 (1348 Views)
When he's not at school, 15-year-old Cim Stordal spends his time playing the Team Fortress video game, shooting his Airsoft pellet gun, and working in a fish shop in Bergen, Norway. But his real passion is finding bugs in software used by millions of people on the Internet.

Stordal has made the Google Security Hall of Fame, been credited with disclosing a cross-site scripting bug to Apple, been thanked by Microsoft for disclosing a vulnerability to the company, and received an elite White Hat Visa card from Facebook with $500 credit on it.

"I got a card for a self-persistent XSS [cross-site scripting flaw] at Facebook, and a nonpersistent XSS at Google, Microsoft, and Apple," he said in a recent Skype interview with CNET. (As a "self-persistent" issue, the bug Stordal disclosed was not exploitable by a third-party because it required a user to take an action to be at risk, according to Facebook.)

"I just look around at the site and find out where I can input HTML and stuff and it's not filtered in the source code. Often they filter some characters but forget some or they totally forget that input," he said. "What an attacker wants is often the cookie, which can be used to log-in as the user."

Stordal says of the sites he poked around in, Apple was the easiest to find a flaw in. "I found the Facebook [hole] after four days and the Google one after three, but Apple took me only five minutes" to find two XSS flaws, he said. (Apple representatives did not respond to a request seeking comment.)


Cim Stordal shows off the White Hat Visa card he received for disclosing a vulnerability to Facebook.
(Credit: Cim Stordal)

The companies appreciate his efforts, particularly because he tells them before going public with any of the details. "Everyone was happy about it and fixed the flaws kind of fast."

Stordal started looking for vulnerabilities in software when he was 14 years old. "I have always loved being on the PC and I already was programming some C++," he said. "So I wanted to do something new and I searched around and learned Basic."

His friends are impressed with his skills and lean on him to help keep their Web sites secure. His parents aren't really sure what to make of his research.

"They think it's kind of cool, I guess, as they don't understand what I do," he said. "But they also don't want me to stay on the computer all day."

His next move is looking for vulnerabilities on mobile devices. He's trying to set up a fuzzer (automated software testing tool) on his iPhone 3GS.

- news.cnet.com

 0

You May Like These Videos

Comments

There are no comments.

Latest stories

Grace Mugabe's 3 supercars crash in Botswana, badly damaged

by Staff reporter | 20 January 2018 | 74 Views

Dabengwa named in new Eskom board

by Staff reporter | 20 January 2018 | 60 Views

How to 'unsend' an accidental WhatsApp message

by Staff reporter | 20 January 2018 | 55 Views

Former Zimbabwe expert appointed SABC COO - reports

by Staff reporter | 20 January 2018 | 45 Views

Zimbabweans urged to rally behind Mnangagwa's 'coup' govt

by Staff reporter | 20 January 2018 | 46 Views

Overcoming Temptation

by Tendai Tagarira | 20 January 2018 | 45 Views

Matebeles too alert to fall for the so called "New Era"

by Wilson Mahlafuna and Khohliso Maqhoba | 20 January 2018 | 42 Views

Build Zimbabwe launches manifesto

by Staff reporter | 20 January 2018 | 43 Views

'Bloody Zanu-PF, MDC primary elections loom'

by Staff reporter | 20 January 2018 | 53 Views

Ex-CIO agent takes DG to court over dismissal

by Staff reporter | 20 January 2018 | 57 Views

Mushowe to meet his match in 2018 elections

by Staff reporter | 20 January 2018 | 58 Views

Why did Rita Makarau resign from ZEC?

by Staff reporter | 20 January 2018 | 55 Views

Tsvangirai mourns Roy Bennett

by Staff reporter | 20 January 2018 | 45 Views

Mthwakazi threatens Mnangagwa's ZRP over rallies ban

by Staff reporter | 20 January 2018 | 37 Views

Gutu threatening to derail MDC Alliance

by Staff reporter | 20 January 2018 | 42 Views

Zanu PF youths call for Mohadi's wife's ouster

by Staff Reporter | 20 January 2018 | 55 Views

Cholera hits Zimbabwe, 4 die in Chegutu

by Staff Reporter | 20 January 2018 | 47 Views

WATCH: 6 people burnt beyond recognition in kombi crash

by Simbarashe Sithole | 20 January 2018 | 100 Views

Dont blame Trump, blame African leaders!

by Albert Madya | 20 January 2018 | 50 Views

Mzembi takes a rest from politics

by Staff Reporter | 20 January 2018 | 68 Views

'Tsvangirai risks a disgraceful exit'

by Staff reporter | 20 January 2018 | 38 Views

Sangoma 'cures' cancer

by Staff reporter | 20 January 2018 | 42 Views

Doctors threaten to go on strike

by Staff reporter | 20 January 2018 | 38 Views

Mwazha pastor gets 11 years for rape

by Staff reporter | 20 January 2018 | 29 Views

Soldiers, police for vendors blitz

by Staff reporter | 20 January 2018 | 33 Views

'New Zimbabwe is coming'

by Staff reporter | 20 January 2018 | 33 Views

Mnangagwa's police ban MDC Alliance rally

by Staff reporter | 20 January 2018 | 32 Views

Bosso chairmanship race takes a new twist

by Staff reporter | 20 January 2018 | 50 Views

'Zimbabwe to honour property rights'

by Staff reporter | 20 January 2018 | 25 Views

Sir Wicknell now a dad

by Staff reporter | 20 January 2018 | 30 Views

Mnangagwa buys Tsvangirai

by Staff reporter | 20 January 2018 | 26 Views

Gutu, Biti tussle for Parliament seat

by Staff reporter | 20 January 2018 | 36 Views

Mnangagwa invites UN, EU

by Staff reporter | 20 January 2018 | 31 Views

Mphoko under corruption probe

by Staff reporter | 20 January 2018 | 27 Views

Banning MDC Alliance rally tragic

by Staff reporter | 20 January 2018 | 48 Views

Mnangagwa refuse to approve Mugabe's bloated entourage

by Staff reporter | 20 January 2018 | 24 Views

Mugabe must apologise, says War vets

by Staff reporter | 20 January 2018 | 32 Views

48 hour ultimatum for vendors, public transport operators

by Staff reporter | 20 January 2018 | 39 Views