How My 9-Month-Old Daughter Earned Over $1,000 in a Bug Bounty Program

Maxilect
5 min readDec 20, 2023

Hello everyone! Today, I want to share a story that happened to my family. This article is not about making money. It’s just a tale of an interesting incident and some worrisome thoughts associated with it.

Background

I’ve been using Xiaomi smartphones for quite a while. I liked that for a reasonable price, you could get a decent device. However, lately, they have been including too much built-in advertising. So, when my latest smartphone broke, I decided to try a product from a different manufacturer.

I had heard good reviews about the Samsung family and decided to give it a try. I bought a mid-budget device, the Galaxy A30, from an official dealer (about a year and a half ago, it cost around 300 euro), and, overall, I was satisfied. It was slightly more expensive than the Xiaomi phones I was accustomed to, but it was evident why — the device felt more high-quality. But that’s not the point.

Nine month old tester

My little daughter was about 9 months old at that time. At this age, she loved to grab everything and explore with her fingers. She took the new phone, twirled it in every way, touched it and even chewed it. I didn’t resist, since the phone was locked anyway — let the child play.

One day I noticed that the phone in my daughter’s hands was unlocked. I probably forgot to turn it off and she just grabbed it before it turned off automatically, I thought. But when this happened the third and fourth time, I realized that the problem was not forgetfulness.

I had my fingerprint login set up. With this model, when logging in, a fingerprint icon appeared at the bottom of the screen — you had to put your finger on it. Therefore, the first assumption was that the phone could be unlocked with any fingerprint. I tried it — it didn’t work. Indeed, unlocking only works with a fingerprint entered into the system. I started watching how my daughter played with the phone.

A few days later I actually saw her unlock the phone. She was very attracted to the fingerprint icon appearing on the screen. She fingered it differently with two fingers. And suddenly the phone unlocked.

I decided to try it myself and managed to repeat my daughter’s achievement. Moreover, more than once.

Of course, the problem was unstable — sometimes it was possible to unlock it almost immediately, sometimes it took half an hour to move your fingers. But the scale of the problem added motivation to understand what was happening. This is a serious vulnerability — the blocking actually doesn’t work, and everyone has not only instant messengers on their phones, but also banking applications. You lost your phone, before you knew it, another person easily walked into the bank and did whatever he wanted with your accounts. Iif my little daughter was able to unlock the phone, then I’m probably not the first one to notice it.

Samsung response

Honestly, I’ve never participated in bug bounty programs. I just read about it in the news and knew that major companies pay well for finding serious vulnerabilities. Not so much driven by the desire to make money but out of curiosity about how it would end, I reached out to Samsung.

Then began a whole saga. They asked me to perform various actions with the phone — simply unlock it, delete the fingerprint, recreate it, and only then unlock it; update firmware and repeat the procedure. Naturally, all of this had to be done on video, periodically showing the firmware version page in the same recording.

The entire process was complicated by the fact that it was an unstable bug. While you were performing all the preparatory actions, several minutes would pass. And then you needed to reproduce the unlocking itself. Moreover, every time you tried to reproduce the error, it wouldn’t happen on the first attempt, and you’d think to yourself, “Maybe they’ve already fixed everything?”

My wife joined the process, and for some time, it became our family hobby in the evenings. “We have new instructions from Samsung; we need to reproduce this. I’ll sit with our daughter, and you start!” Specifically for the convenience of recording, we attached one smartphone on top, started recording on it, and from below, we replicated the required sequence of actions on my device. It was somewhat reminiscent of fishing. When the unlock succeeded, we got our dose of dopamine — the fish was caught.

Five months passed.

Towards the end, I received a message from Samsung with the number of the latest firmware update that I needed to wait for and then repeat the unlocking process. When the update was complete, I started recording, checked the firmware number, but couldn’t reproduce the bug because they added a code check after five consecutive incorrect fingerprints. It’s uncertain whether they fixed the initial problem, but under these conditions, neither I nor my wife could replicate it.

We informed Samsung that the issue was no longer reproducible. It’s worth noting that many other manufacturers have had a wrong input counter on their devices for a long time — it’s a solution that seems obvious. However, the fact is that until this firmware update, Samsung didn’t have such a counter.

Bug Bounty

A couple of months later, I received a message from Samsung stating that the bug I reported was a duplicate but had a high priority. Therefore, for collaborating in the process of resolving it, we were entitled to a reward — $1,380 USD. The company was ready to transfer the money through one of their specialized partner sites — Bugcrowd.

I registered, and although the actual transfer hasn’t arrived there yet, I’ve already checked that it’s likely not in my fate to withdraw the money from there. I’ll figure out workarounds, but for the story, it’s not really crucial. It’s already a technical matter. Regardless of how it gets resolved, I’ll have something to tell my daughter when she grows up!

Conclusions

In my opinion, the story is not about blaming or not blaming a specific manufacturer. Understanding how it all works, I realize that bugs exist everywhere. However, it fundamentally undermines trust in phone security methods — biometrics, and so on.

What truly struck me was the critical nature of the bug — how easily the phone could be unlocked, and not just any phone but a Samsung. In essence, the phone had no protection whatsoever. This bug took quite a while to be fixed — six months passed since I first reported it. Moreover, as I was told, it was a duplicate (apparently, it was an older one). Things could be even worse with other manufacturers. I would keep in mind that anything you have can be easily hacked.

Some time ago, my bank suggested enabling voice recognition, and I declined due to general security concerns. After this story, I definitely won’t agree to it anymore.

Author: Andrey Burov, Maxilect

--

--

Maxilect

We are building IT-solutions for the Adtech and Fintech industries. Our clients are SMBs across the Globe (including USA, EU, Australia).