How a Russian Teenager Cracked Nation's Largest Social Network in His Spare Time
Ilya Glebov is 17 years old. This spring he graduated from one of the best school in Monchegorsk – a small town in Murmansk Oblast with a population of over 40 thousand people. While preparing for his Unified State Exam (USE) in computer science, he stumbled upon an article about a vulnerability in Facebook’s security system that made possible the hacking of nearly all of the accounts on the social network. He decided to try the same “trick”, as Ilya calls it, with VK. Eventually he discovered that such a vulnerability was also present in the Russian social network. Ilya was rewarded with two thousand dollars for his discovery and he received one more thousand from ICQ’s bug-bounty program after it was revealed that that platform was, too, susceptible to this method. However, Ilya will only be able to get his money after he turns 18. Right now he is planning to enrol in a university to study information security. He spoke to ITMO.NEWS about how he managed to find a flaw in Russia’s biggest social networks in between studying.
Did this actually start with an article about Facebook or have you been thinking about checking the security of VK before?
Actually, this story about Facebook has been around for a year; it was first published in 2016. I saw it then, just after the publication. Later, I happened to come across it again. This vulnerability was rooted in sorting through recovery codes on the company’s test domain. So I thought: how is VK any better? I had a rough knowledge of VK’s inner workings, so it had no trouble testing it. But this is indeed not the first time I’ve tested something for vulnerabilities. There are some reports on HackerOne about that. Overall, I managed to find the vulnerability that affected both VK and ICQ, and before that I tested another possible vulnerability in VK. It was also related to gaining access to private data, but this isn’t something I can talk about as of now.
So this vulnerability that you found in VK and ICQ and which you received a total of $3000 for - was there a real cause for concern about it? How did you find it?
I’ve been working on this problem for two days but in total it took me about four hours. The weak spot was based on the fact that each session generates a recovery code that is sent to a phone. But no one could ever guess that these sessions can be identical. I made it so that the sessions were the same: that the same code could be sent to different phone numbers. This afforded an opportunity to hack most accounts on the social network - the only ones that were safe from attack were ones that had enabled two-factor verification. You can read about it in detail on Habrahabr.
By the way, it was the first time I posted there - I’d only read posts there before that. The weak spot was simple but serious enough, yet no one had noticed it. On HackerOne only a few people saw it. That’s why I wanted to tell people about this, to warn them. Right after I found this vulnerability, I wrote a report on HackerOne. In 17 hours it was removed. In a couple days I was paid $2000. I also found out that the same security problem existed in ICQ and I got $1000 more from their bug-bounty program.
What were your family’s first impressions when they found out about your reward? Have you already decided how you’re going to spend it?
Natalya Glebova (mother): I, for one, only learned about this prize two days ago, even though it had all happened back in April. His dad still doesn’t know. Of course, at first I didn’t believe it; I’d never considered cybersports and the likes a legitimate source of income.
Ilya Glebov: Anyway, I can’t get that money until I turn 18, as I need to have a PayPal account to withdraw itl. I haven’t planned to spend it on anything yet; I’d rather save it.
When you wrote about what happened in your post on Habrahabr, you said that you were “studying” for your USE in computer science - what’s with the quotation marks?
Yes, it really did happen when I was reading up for my computer science exam. There was a problem number 27. The thing is that there was a lot of data - x1, x2, x3, x4, x5 and so on. I had to check and re-check. And I got so bored doing this, I just decided to take a break and read something. So I stumbled upon this article about Facebook’s security weakness and decided to try this method in VK. I read news a lot. I always monitor Habrahabr and on HackerOne there’s also such a tab called Activity, where reports on various events are posted.
So how did you do on your exams?
I got 97 (out of 100) points in computer science, but I was less lucky with maths - only 62 points there, even though the tasks were quite easy and solvable. I just made some silly mistakes. For example, a problem says: substract 3 from T and square the result; I start solving it and forget about the square. Or maybe I forget a comma somewhere. Even though it was math and physics that I enjoyed the most in school, aside from computer science. We have great teachers in those subjects and I like the way they work with us. I did much better even when I was doing test exams for training.
Unified State Exam. Credit: nrnews.ru
Many students start preparing for the USE one or two years in advance; they study with tutors and go to cram schools. Did you do the same?
I could go to computer science courses organized by a lyceum, but what’s the point? The USE for this subject wasn’t too complicated, so I studied on my own. I have never ever studied with a tutor at all. Back when I was preparing and solving the sample problems, even if I didn’t get something I would look up the solution on the internet, try to make sense of it. Konstantin Polyakov’s website, for example, was very helpful for me when I studied computer science.
Natalya Glebova (mother): Our town isn’t big, only 40 thousand people live there. There are probably only two good schools: the gymnasium where Ilya studied and a lyceum. All other schools have a medium level and half of them teach only up to 9th grade. When we started talking about the USE, Ilya said that we probably won’t find a good tutor in town anyway, so it’s better if he’ll study on his own.
Did any family members help you with studying?
Natalya Glebova (mother): There are no programmers in our family. I’m educated in economics, my husband is an engineer; he graduated from Gornyi University. We work in the area of metallurgy. That’s why if there were any problems with the computer at home - it is broken, something doesn’t load etc. we always brought it to Ilya. Among friends we couldn’t ask anyone for help but Ilya knew everything and could fix it. We bought a computer approximately in 2004 when he was 4 years old.
Ilya Glebov: It was very old with a huge screen.
Natalya Glebova (mother): It was leased using money borrowed from grandma. As far as I can remember, Ilya became very interested in computers after elementary school, he started reading and researching about it.
Were you not worried about having him spend so much time on the computer?
Natalya Glebova (mother): No, we didn’t really have to restrict him from anything, because Ilya managed to earn good grades in school, play and do something on the computer. He was always independent and we had to rein him in. He was into swimming and mountain skiing. Every year we go to Finland to ski. Ilya doesn’t like to ski on normal routes; he loves to ski in the forest.
Ilya with his family members
Ilya, when and how did computer science become something more than a hobby for you?
I’ve actually studied computer science in school since second grade. Of course, it wasn’t serious then. I got very interested in it approximately in eighth grade. I began with programming and wrote all types of small programs just for myself, to ease solving routine problems. For example there was a very easy program that would stitch together text files. I made a little window where I could put all documents and in the end get one big text file. Stuff like that. I found my first programming tutorials on the internet, of course, at various educational sites. If I didn’t understand something, I found it somewhere else. I’ve always been interested in learning and understanding how software works, how data is protected - all the inner workings.
Is there anyone in the IT-community you look up to?
Pavel Durov. I agree with a lot of his stances on things, especially regarding information security. I also keep an eye on the ACM ICPC competition - Pavel’s brother, Nikolai, was a winner, too, and, of course, ITMO University’s team are seven-time winners. I’m interested in the teams and in the event as a whole. I even checked out the problems they solved, but they are, understandably, highly complex.
Who did you support this year?
I was supporting ITMO University’s team. I think it was the team who had the best chances to win.
However, you want to study information security - that is the subject of the programs you have applied to. Why?
I just want for people’s information to be well-protected; so that there are no hacking attacks and people can sleep soundly. I’ve applied to five universities, but my top choice is ITMO since it really is one of the top universities in IT. I hope I get accepted - we’ll see how that turns out.
And have you thought about your career? Many applicants today are already thinking of opening up their own businesses.
I haven’t thought about my own company yet. Something like that involves a lot of risk and I’m not ready for that yet. I think it would be better to work at a major company, for starters, gain some experience. I’d say, in Russia those are Yandex, VK, JetBrains; globally - Apple, Amazon, Microsoft. I’m not making any concrete plans for now - my current objective is to enrol in a university here, in St. Petersburg. Then I’ll see how the situation develops.
After the interview, Ilya met with Danil Zakoldaev, head of Department of Information Security and Computer Technologies, and Alexey Itin, chairman of the Admissions Board. After a conversation and an evaluation of his knowledge, Ilya was offered a tuition-free position at School of Computer Technologies and Control’s program “Information Security Technologies”.
“We first heard about Ilya at a respectable online resource where IT experts talk and share their experience. Ilya’s knowledge of several subject fields exceed the requirements for other kids of his age; it’s obvious that he has a knack for reverse engineering and wants to learn, including on his own. We think he’ll be able to handle the pressure of basic subjects in his first year and will be able to demonstrate his full talent in the field of information security,” - says Danil Zakoldaev.
Alexey Itin, Danil Zakoldaev, Ilya Glebov, Natalya Glebova and Nikolay Pshenichniy (head of Career Guidance and Scouting Office)
“The university is a place that attracts talents. It’s important to us that creative and unorthodox-thinking kids apply for education here. An important task for the university is to seek out those who get great results on their exams, who win at school olympiads. But then many highly-motivated school students wouldn’t be able to enrol at tuition-free positions just because their USE results were slightly lower. For the last two years, the university has been working on a proactive program in seeking out and drawing in applicants who have achieved outstanding results in similar circumstances. After all, it is hard to measure talent in points or other figures. Sometimes, a twinkle in their eyes or motivation despite an unimpressive academic record turns out to be much more important for the university than anything else. I’m sure that Ilya will not have any trouble becoming a part of the ITMO.FAMILY and that he will prove himself both in and outside of his academic life,” - comments Anna Veklich, first deputy chairman of ITMO University’s Admissions Office.