Teenager finds bugs in Google, Facebook, Apple, Microsoft code

Teenager finds bugs in Google, Facebook, Apple, Microsoft code
Published: 03 February 2012 (1454 Views)
When he's not at school, 15-year-old Cim Stordal spends his time playing the Team Fortress video game, shooting his Airsoft pellet gun, and working in a fish shop in Bergen, Norway. But his real passion is finding bugs in software used by millions of people on the Internet.

Stordal has made the Google Security Hall of Fame, been credited with disclosing a cross-site scripting bug to Apple, been thanked by Microsoft for disclosing a vulnerability to the company, and received an elite White Hat Visa card from Facebook with $500 credit on it.

"I got a card for a self-persistent XSS [cross-site scripting flaw] at Facebook, and a nonpersistent XSS at Google, Microsoft, and Apple," he said in a recent Skype interview with CNET. (As a "self-persistent" issue, the bug Stordal disclosed was not exploitable by a third-party because it required a user to take an action to be at risk, according to Facebook.)

"I just look around at the site and find out where I can input HTML and stuff and it's not filtered in the source code. Often they filter some characters but forget some or they totally forget that input," he said. "What an attacker wants is often the cookie, which can be used to log-in as the user."

Stordal says of the sites he poked around in, Apple was the easiest to find a flaw in. "I found the Facebook [hole] after four days and the Google one after three, but Apple took me only five minutes" to find two XSS flaws, he said. (Apple representatives did not respond to a request seeking comment.)


Cim Stordal shows off the White Hat Visa card he received for disclosing a vulnerability to Facebook.
(Credit: Cim Stordal)

The companies appreciate his efforts, particularly because he tells them before going public with any of the details. "Everyone was happy about it and fixed the flaws kind of fast."

Stordal started looking for vulnerabilities in software when he was 14 years old. "I have always loved being on the PC and I already was programming some C++," he said. "So I wanted to do something new and I searched around and learned Basic."

His friends are impressed with his skills and lean on him to help keep their Web sites secure. His parents aren't really sure what to make of his research.

"They think it's kind of cool, I guess, as they don't understand what I do," he said. "But they also don't want me to stay on the computer all day."

His next move is looking for vulnerabilities on mobile devices. He's trying to set up a fuzzer (automated software testing tool) on his iPhone 3GS.

- news.cnet.com

 0

You May Like These Videos

Comments

There are no comments.

Latest stories

Bulawayo Chiefs stun FC Platinum

by Staff reporter | 21 April 2018 | 85 Views

Cuthbert Dube demands $918,000 from Chiyangwa's Zifa

by Staff reporter | 21 April 2018 | 98 Views

Zanu-PF releases names of aspiring candidates

by Staff reporter | 21 April 2018 | 175 Views

Khupe elected MDC-T president, Gutu deputy

by Staff reporter | 21 April 2018 | 195 Views

Mwonzora' daughter ditches Chamisa, supports Khupe

by Staff reporter | 21 April 2018 | 189 Views

'I survived the Mugabe and Wenger eras'

by Staff Reporter | 21 April 2018 | 191 Views

Sacked Zimbabwe nurses get public support

by Staff Reporter | 21 April 2018 | 213 Views

UK wants Zimbabwe back in the Commonwealth

by AFP | 21 April 2018 | 152 Views

Celebrating Independence Day

by Chikuni Gaba | 21 April 2018 | 103 Views

Illegal miners feared dead as mine shaft collapses

by Simbarashe Sithole | 21 April 2018 | 110 Views

Chamisa heightens efforts to court G40 cabal members

by Staff Reporter | 21 April 2018 | 113 Views

Khupe faces moment of truth

by Staff Reporter | 21 April 2018 | 130 Views

Beitbridge attains municipality status

by Staff Reporter | 21 April 2018 | 80 Views

Constitutional Court rules expulsion from Parliament urgent

by Staff Reporter | 21 April 2018 | 74 Views

Man bashes Ex-wife for 'infecting him with HIV'

by Staff Reporter | 21 April 2018 | 84 Views

Mafikizolo, Mi Casa, Dana lead Sama nominees

by Staff Reporter | 21 April 2018 | 71 Views

How am I making the life of my Mthwakazi brother better

by unknown | 21 April 2018 | 75 Views

MDC Alliance on a knife edge

by Staff Reporter | 21 April 2018 | 97 Views

Mudede in ID mop-up exercise

by Staff reporter | 21 April 2018 | 78 Views

Bosso take on unpredictable Shabanie

by Staff reporter | 21 April 2018 | 98 Views

+15 gold panners feared dead after 24hr-trap

by Staff reporter | 21 April 2018 | 71 Views

Khupe expulsion case urgent

by Staff reporter | 21 April 2018 | 85 Views

SRC hits back at Chiyangwa

by Staff reporter | 21 April 2018 | 82 Views

Mr Cooper joins Talen Vision

by Staff reporter | 21 April 2018 | 81 Views

Chiyangwa slams ex-SA ref Ngcobo after expose

by Staff reporter | 21 April 2018 | 98 Views

Mnangagwa is not presidential material comments haunt Kaseke

by Staff reporter | 21 April 2018 | 89 Views

Vehicle registration fees slashed by 50%

by Staff reporter | 21 April 2018 | 76 Views

Fired nurses served with dismissal letters

by Staff reporter | 21 April 2018 | 59 Views

MDC-T congress kicks off in Bulawayo

by Staff reporter | 21 April 2018 | 49 Views

Meet the soldier who read Mugabe the riot act

by Staff reporter | 21 April 2018 | 64 Views

Zanu-PF Politburo approves candidates

by Staff reporter | 21 April 2018 | 43 Views

Acid woman to sue police officers

by Staff reporter | 21 April 2018 | 53 Views

Mnangagwa using military's 'spider-web' campaign strategy

by Staff reporter | 21 April 2018 | 153 Views

Thomas Mapfumo keen to unite Mnangagwa, Chamisa

by Staff reporter | 21 April 2018 | 58 Views

Zuma's 24 year old lover gave birth to baby boy on JZ's birthday

by Staff rpeorter | 21 April 2018 | 48 Views

Mujuru rolls out umbrella campaigns

by Staff reporter | 21 April 2018 | 46 Views