Auburn graduate student helps fix vulnerability in Facebook Messenger

By Eduardo Medina

Published: Dec 21, 2018 6:56:00 AM

Nirmit Patel Nirmit Patel

Nirmit Patel won’t call himself a bounty hunter. That’s too cheesy, he said. But he will accept his role in helping make Facebook safer – through bounty hunting, of course.

Patel, a master’s student in computer science and software engineering, recently received a reward from Facebook after catching a bug in Messenger’s software. The online giant began its Bug Bounty Program in 2011. Since then, Facebook has paid out more than $6 million to those that spotted vulnerabilities in its platform, just as Patel did.

“It’s a very beneficial thing that Facebook is doing,” Patel said. “This way, anytime something goes wrong, someone in the world will be able to spot it. This time, it happened to be me. It’s surreal to think how it happened, too.”

In February, Patel called a friend from India through Messenger. They were catching up with the usual small talk before his friend said he was getting another incoming call. The friend apologized and asked Patel if he could put him on hold. “Sure,” Patel replied.

“He put me on hold, but then I perked up because I could hear everything they were saying while I was on hold,” Patel said, laughing at the recollection. “I’m just glad they didn’t talk about me.”

He might have had more motivation to fix the bug then, he said with a chuckle. But Patel still foresaw the potential dangers this malfunction could lead to. More than 100 million people could have been affected by the bug, based on the number of downloads in Google Play. He went to the Facebook bounty portal and submitted the issue.

“After about two weeks, Facebook got back to me and told me that there was no bug,” Patel said. “But I just knew that couldn't be right because I re-created the scenario with my friends and the same thing happened.”

Before contacting Facebook again, Patel wanted to run a few tests and see for sure what was wrong. The bug was occurring when an Android device placed an iOS device on hold to get a call from another iOS device. The bug’s presence was definitive. He placed three phones on a table and took video of how the bug was still causing problems with on-hold calls.

“I knew it was there, so I told the worker at Facebook, ‘Hey, I will get back with you in two weeks because I have exams, but I believe there is a bug occurring within Android devices,’” Patel said.

He pressed send on the email, and after exams, contacted Facebook again. This time, they acknowledged there was, indeed, a bug on Android devices.

“They asked me to test it again, and, unfortunately, the bug was still there,” Patel said. “I didn’t want to wait and know other people were having the same trouble I was, so I thought it would be good to do my part, and tell them where to fix it.”

Patel did just that – he went on the hunt. By the end of March, Patel told Facebook how to fix it.

“I suggested that when a user was getting another call, the code for putting an ongoing call on hold wasn’t getting executed,” Patel said.

The tech giant evaluated Patel’s solution, then updated the software. The bug was finally fixed, and Patel was rewarded his bounty.

Patel decided to donate half of his bounty to a charity in India that helps visually impaired people.

“The way the Facebook bounty works is that whatever portion you decide to donate, Facebook will double it,” Patel said. “I figured I have enough money to get by, and thought I should give it to someone that needs it.”

Patel credits Auburn for giving him a platform to grow as an engineer and as a person.

“The courses I studied taught me new approaches with problem solving,” Patel said. “There are different bugs in the applications we use every day; we just have to take initiative and report it when we encounter one.”

Patel’s motto is to help people whenever possible; software engineering, he said, is helping him achieve this.

“If there is a problem, I have the ability to put it in code, and find a solution,” Patel said. “I think there’s so much we can solve through this.”

Media Contact: Chris Anthony, chris.anthony@auburn.edu, 334.844.3447

Recent Headlines