Israeli teen awarded by Facebook for finding WhatsApp security breach
Yuval Sprintz, 17, notifies social network of breach in instant messaging app's browser-based platform allowing users to add fake phone numbers to group chats and add blocked users back into group; Facebook thanks him with a $1,250 prize.
Sprintz, 17, is in his last year of school but is simultaneously studying towards a computer science degree at Haifa University. He has also participated in the Davidson Institute of Science Education's Alpha Program, intended for gifted young men and women. The Davidson Institute is the educational arm of the Weizmann Institute of Science.
"I began showing an interest in information security at a very young age, and learned about it myself through the internet," Sprintz recounts.
A few months ago, Yuval was working on preparing a software tool able to merge two WhatsApp groups. As part of work on the project, he delved deep into the code of WhatsApp Web, the app's browser-based platform.
"I played around with some functions and tried doing something cool with them," he said. What he ended up finding, however, was a security breach allowing to add "fake" phone numbers to a WhatsApp group that don't represent any real accounts.
Yuval discovered that in exploiting this breach, any user could theoretically add as many other, real, users to the group as they saw fit—as opposed to the current state where only a group's administrator can add new users—even ones previously blocked from the group.
Another byproduct of the breach was the ability to add fake users with an exceptionally long phone number, which may lead to the app crashing altogether on certain smartphones.
Sprintz contacted Facebook using the social network's "Bug Bounty" program at the end of September. The program allows independent information security specialists to report security breaches to Facebook for a monetary reward. Sprintz used the program to send in the details of the breach he had discovered.
While it took several weeks for Facebook representatives to respond, they ended up sealing the breach with an update to the program. The company's representative thanked Yuval, congratulated him on finding the breach and notified him he is set to receive a $1,250 reward.
Asked what he planned to do with the money, Sprintz responded: "I recently bought a powerful new computer, so the reward can go a long way towards that."
Facebook commented on his find, saying: "We're grateful the matter was brought to our attention. We quickly fixed the breach and awarded the researcher with a prize through our Bug Bounty program. The vulnerability he found could have allowed users to add someone who was blocked to group chats. We took care of the matter and know of no previous attempts to exploit it."
Alpha Program Director Dr. Orni Meerbaum Salant said, "Yuval is a graduate of the program, and we were able to tell he was an intelligence and creative person right from his physics research paper. Finding the Facebook breach came as no surprise. The Davidson Institute's gifted program brings together young men and women of similar ages with similar language and needs and allows them to receive intellectual stimulation while developing social skills and learning teamwork."