Josip Franjković (18), currently a Freshman enrolled in the Information Technology program at the American College of Management and Technology (RIT/ACMT), Zagreb campus, has on multiple occasions found errors in Google and Facebook's security systems. As a result Josip has won multiple prizes and his name can be found on the Google Hall of Fame and Facebook’s Whitehat lists.
Google and Facebook both have reward programs for individuals who find errors in their systems. How do these programs work?
In November of 2010, Google initiated the Vulnerability Reward Program with the goal of increasing the security level of its users in the following domains:- *.google.com -*.youtube.com - *.blogger.com - *.orkut.com. Google has ensured that individuals, who find errors in the security systems which can harm the confidentiality and integrity of its user's data, receive a monetary reward and their name is then listed in their Hall of Fame. During the last two years they have progressively increased the monetary rewards that they give out. Facebook launched its rewards program for improved security, Facebook Whitehat, in 2011 and it works on the same principle as Google’s reward program.
Through the reward programs of both Google and Facebook, they try to motivate their users who have an ample knowledge of internet security to report any bugs that they find in their systems so that they don't sell them to third party sites as this could have very dangerous consequences.
You have received a number of rewards from Google. In which way did you help Google improve their security systems?
For both companies I have found errors in their security systems and I have received several rewards totaling $4 274. For Google I submitted three errors in their security systems that are called Cross Site Scripting (XSS) that can be stored. This bug enabled me to take a user's "cookies” after they visited a site. Besides that, I reported two Cross Site Scripting (XSS) to Youtube. I also found an Auth BYPASS that enabled me to delete poll results that Google did for other companies.
What did you do for Facebook?
Facebook had a little bug in their system for their investor site (investor.fb.com) that enabled me to see the private data of some users that I shouldn't be allowed to see. Both Facebook and I were confused as to why this happened under only specific conditions (e.g. special IP addresses), and we found out that it was a bug in their caching system.
Do you actively search through security systems?
Yes. My hobbies are the internet and the security of web applications and I wish to work in that area in the future. I often compete in competitions with my international team of five members where such knowledge is demanded. I don't search through other sites because that it's illegal.
What can you say about the security systems in Croatia?
I'm under the impression that most of the companies in Croatia don't really care about the security of its users. Likewise, there are only a small number of companies that deal with that part of the internet. This personally bugs me, because I don't want my password or personal data to be available to other people.
Where do you see yourself in the future?
I hope that I'll be employed in the security sector. If nothing changes in Croatia in the upcoming years, I'll most likely work abroad. Currently I'm planning with a few colleagues from college to start a business that will offer the possibility to test websites, finding bugs in security systems as well as development of a website.