Security Week-in-Review: Bug hunter wins $10K at the tender age of 10


It’s hard to keep up with the hundreds of security-specific headlines published every week.

So, we’re rounding up the top news that affect you, your business, and the security and technology industry overall. This week we explore a young bug bounty hunter, the ADP breach, and the dangers of unpatched systems. Check back every Friday to learn about the latest in security news.

10-year-old wins bug bounty for finding flaw in Instagram

A 10-year-old boy discovered and reported a vulnerability in Facebook’s Instagram software that would allow anyone to delete comments from a post. The boy may be the youngest publicly acknowledged person to win a bug bounty. He made $10,000 from the report. “I tested whether the comments section of Instagram can handle harmful code. Turns out it can’t,” he told a local newspaper. The Guardian translated his comments. Facebook fixed the issue quickly, according to the boy who submitted the vulnerability in February.

Read more about the bug here.

Microsoft report shows 2010 vuln still regularly probed

Microsoft revealed in its latest Security Intelligence Report that a vulnerability exploited by the 2010 Stuxnet virus was actually the most exploited vulnerability in 2015. The continued exploitation of  this vulnerability, CVE-2010-2568, indicates that there are a significant amount of unpatched Windows machines — significant enough that criminals still find the attack worth attempting.

Get more information about the report here.

Spain makes dozens of arrests in CEO scam

A few weeks ago, the FBI released a warning to businesses about a phishing scam in which attackers pretended to be company CEOs asking for wire transfers or sensitive information later used to steal money. The AFP suggests, “The largest single sum lost to the fraud was 1.8 million euros ($2.1 million).” Many of these phishing scams are actually fairly sophisticated in how convincing they are. Law enforcement in Spain arrested 44 people in Britain and Spain, according to the AFP, in connection with these scams.

Read more about the arrests here.

Cisco patches serious flaw in its TelePresence Systems

Cisco patched a number of flaws this week including one in its TelePresence video conferencing software. The flaw could have allowed an attacker to bypass authentication on the TelePresence software and make unauthorized changes to the system, as noted by CSO Online. Cisco also patched a hole in its Firepower System Software that could have allowed attackers to launch denial of service attacks against the software, potentially taking systems using the software offline.

See what else was patched here.

Attackers breach payroll company ADP; steal sensitive information

ADP, a large payroll solutions provider, released a letter about a serious data breach the company experienced, affecting W-2 tax data, as reported by Brian Krebs. The company explained that it began investigating the breach in late April and discovered that attackers had exploited an external web portal. The letter went on to note that the criminals could use the information stolen to “file a fraudulent income tax return under your name.”

Lean more about the breach here.

Bug image via rabiem22/Flickr