How my 9-month-old daughter earned over $1000 in a bug bounty program
Hello everyone! Today I want to share a story that happened to my family. This article is not about how to make money. It’s just a story about an interesting case and some worrying thoughts associated with it.
Background
I’ve been using Xiaomi smartphones for quite some time. I liked that for a small amount of money, you could get a fairly decent device. But lately, they’ve been including too much built-in advertising. So when my latest smartphone broke, I decided to try a product from another manufacturer.
I’ve heard good reviews about Samsung, so I decided to give it a try. I bought a mid-budget device from an official dealer — the Galaxy A30 (about a year and a half ago, it cost around 250 Euros) and was satisfied. It was a bit more expensive than Xiaomi, which I was used to, but it was clear why — the device felt more high-quality. But that’s not the point.
Nine-Month-Old Tester
At the time, my little daughter was about 9 months old. At this age, she loved grabbing and exploring things with her fingers. She would handle the new phone in various ways, twisting it, touching it, and even chewing on it. I didn’t resist, as the phone was locked anyway — let the child play.
One day, I noticed that the phone in my daughter’s hands was unlocked. I probably forgot to turn it off, and she just grabbed it before it automatically shut down, I thought. But when it happened a third and fourth time, I realized that forgetfulness wasn’t the issue.
I had set up fingerprint recognition. With this model, when unlocking, a fingerprint icon appeared at the bottom of the screen — you had to place your finger on it. So, my first assumption was that the phone could be unlocked with any fingerprint. I tried it — it didn’t work. Indeed, the unlocking only worked with a fingerprint saved in the system. And I began to watch how my daughter played with the phone.
A few days later, I actually saw her unlock the phone. She was very attracted to the fingerprint icon appearing on the screen. She would fiddle with it using her two fingers and suddenly, the phone unlocked.
I decided to try it myself, using fingers not saved in the phone. It didn’t work immediately, but I managed to replicate my daughter’s achievement. Not just once.
Of course, the problem was unstable — sometimes I could unlock it almost immediately, sometimes it took half an hour of finger movements. But the scale of the problem added motivation to understand what was happening. It was a serious vulnerability — the lock practically didn’t work, and the phone had not only messaging apps but also banking applications. You lose your phone, haven’t realized it yet, and someone else easily accesses your bank and does whatever they want with your accounts. If my little daughter could unlock the phone, then surely I wasn’t the first to notice this.
Communicating with Samsung
Honestly, I’ve never participated in bug bounty programs. I’ve just read about them in the news and know that big companies pay well for finding serious vulnerabilities. Not so much out of a desire to earn money but out of curiosity about how this would end, I contacted Samsung.
What followed was a whole saga. They asked me to perform various actions with the phone — simply unlock it; delete the fingerprint, recreate it, and then unlock it; update the firmware and repeat the procedure. Naturally, all of this had to be done on video, periodically showing the firmware version page in the same recording.
The whole process was complicated by the fact that this was an unstable bug. By the time you completed all the preparatory actions, several minutes had already passed. Then you still needed to reproduce the unlocking itself. Moreover, every time you tried to reproduce the error, it didn’t happen on the first try, and you would think to yourself, “Maybe they’ve already fixed everything?”
My wife joined the process, and for a while, it became our family hobby in the evenings. “We have new instructions from Samsung, we need to reproduce this. I’ll stay with our daughter, and you start!” For the convenience of filming, we attached one smartphone on top, started recording on it, and performed the required sequence of actions on my device below. It was somewhat reminiscent of fishing. Unlocking succeeded, we got our dopamine hit — the fish was caught.
Five months passed like this.
Towards the end, I received a message from Samsung with the number of the next updated firmware, which I had to wait for and then repeat the unlocking. When the update was installed, I started recording, checked the firmware number, but couldn’t reproduce the bug because they had added a code check after five consecutive incorrect fingerprints. It’s not guaranteed that they fixed the initial problem, but under these conditions, neither I nor my wife could reproduce it anymore.
We replied to Samsung that the problem could no longer be reproduced.
It’s worth noting that many other manufacturers had a wrong input counter on their devices for a long time — it’s such an obvious solution. But the fact is that Samsung didn’t have it until this firmware update.
Bug Bounty
A couple of months later, I received a message from Samsung stating that the bug I reported was a duplicate but had a high priority. Therefore, for collaborating in the process of fixing it, we were entitled to a reward — $1380 USD. The company was prepared to transfer the money through one of their specialized partner websites — Bugcrowd.
I registered, and although the transfer hasn’t actually arrived there yet, I’ve already looked into the fact that I probably won’t be able to withdraw the money from there. I’ll figure out workarounds, but for the story, it’s actually not important. It’s a technical issue now. However it’s resolved, I’ll have something to tell my daughter when she grows up!
Brief Conclusions
In my opinion, the story isn’t about whether to criticize or not to criticize a specific manufacturer. Knowing how it all works, I understand that bugs exist everywhere. But all of this fundamentally undermines trust in phone security measures — biometrics and so on.
What really struck me was the severity of the bug — how easily the phone could be unlocked, and not just any phone, but a Samsung. Essentially, the phone had no protection at all. And this bug took quite a while to fix — six months have passed since I first reported it. As I was told, it was also a duplicate (apparently, it was an older one). It could be even worse with other manufacturers. I would keep in mind that anything you have can be easily hacked.
Some time ago, my bank offered me voice recognition authentication — and back then I declined it for general security reasons. After this story, I definitely won’t agree to it anymore.
Author: Andrey Burov, Maxilect.
PS. Subscribe to our social networks: Twitter, Telegram, FB to learn about our publications and Maxilect news.