You may have heard of Faouzi Jouti, an Al Akhawayn university student who made, by and large, the headlines as “The Moroccan who discovered a Facebook bug.”
The Moroccan little genie is a mere 21-year-old young man, yet he received a grandiose call from Facebook’s headquarters to thank him for alerting them of a dangerous vulnerability.
Today, The Moroccan Times presents you Faouzi in 3D, after we picked him for an interview.
Name: Faouzi Jouti.
Age: 21.
city of origin: Marrakech.
Studies: Third year studying Computer Science at Al Akhawayn University in Ifrane.
The Moroccan Times: What are your Hobbies/interests Faouzi?
Faouzi: Well, I would say, Table Tennis, Basketball, Penetration Testing, and Coding.
The Moroccan Times: First steps with a computer?
Faouzi: We got our first family computer in 2001. I started off playing “Age of Empires” and then few months later, I developed an interest for “computers functioning”, as I was always fascinated by their “intelligence”. During the first two years, I used to install random applications just to monitor their behaviors. Few years later, I was developing by myself desktop applications, and then lately I moved to web apps.
The Moroccan Times: How did your passion for white hacking start and how did it effectively kick in?
Faouzi: It started lately when I was playing “Questions Pour un Champion En ligne”, a game on the“France3 TV” website. I spotted a bug on the website, a bug that allowed anyone play unlimited games without paying a penny. I reported the bug right away and got a very encouraging reply from “France 3”. After being flooded with kind words and thanks, I just felt, from that time, that reporting web bugs to apps owners was my thing, the right thing to do. After this event, whenever I had some spare time, I picked up a random website and endeavored to inspect it and send its owners a bug report.
The Moroccan Times: Were you ever tempted to go “black hacker” given all the material benefits/temptations it offers?
Faouzi: I don’t really consider that black-hat hackers get any “real” material benefits. To me, a “real” material benefit is when you honestly and legally earn your money. Hacking to illegally get money from others is simply stealing. Yes, you can “earn” a decent amount of money by going black hacker. Yet, I believe this doesn’t last for long. You will, for sure, get flagged and then arrested, ending up in jail with a zero balance.
Also, the idea of putting your hands on someone’s money is intolerable, neither in real life nor on the internet. I would never go black hacker and I was never tempted to. As a matter of fact, I could have sold that Facebook bug, I discovered, on the Internet’s black market, but, to me, it is morally unacceptable.
The Moroccan Times: How did you come across the Facebook bug?
Faouzi: Actually, just recently, a friend of mine got his Facebook account hacked. To avoid getting “re-hacked”, he planned to use the “Login Approvals” feature that Facebook offers. Once this feature is activated, even if a hacker has your password, he won’t be able to access your account, unless he uses the same browser you use. In other words, he needs your own computer. The “Login Approvals” feature consists of confirming your logging by entering a special code Facebook sends to your phone whenever you try to access your account from a different browser. This said, every account is associated with a phone number and a specific browser id.
Back to our subject, I would say it started when my friend asked me to help him associate his phone number with his FB account. After hours of investigation, I could perceive that Facebook’s “mobile” module wasn’t stable. I decided to step further in my investigation, as to inspect it now from a developer perspective. Just little time after that, I found out that by changing some user data, on the fly, I could associate/disassociate any phone number from any Facebook account. This means deactivating the “login approvals” feature from any account with much ease.
The Moroccan Times: Where did you receive Facebook’s call?
Faouzi: I was sleeping at that time. They called me around 9:00 am. I didn’t pay much attention to the caller’s ID and just answered. Then, as my sleepy mood did not effectively kick out yet, and as I started hearing an English speaking voice in the other end, I was really confused. After some time, I started making sense of what was going on.
The Moroccan Times: By whom were you exactly contacted?
Faouzi: I was called by a Facebook security team member (called Tommy) who acknowledged the bug existence.
The Moroccan Times: Did they offer you a prospective job with them? A certificate? A material reward?
Faouzi: I was offered a money prize and my name figures now on the Facebook’s Wall of Fame.
The Moroccan Times: What is your message to all red hackers, especially the Moroccan ones who take advantage of such bugs to get materially enriched?
Faouzi: I want to tell them explicitly that going legal and being honest is the way to go. It is more rewarding, actually. For example, on top of earning material benefits from hundreds of websites offering money prizes to hackers who successfully report bugs on their platforms, having your name listed on a company’s Wall of Fame will improve drastically your chances of getting hired for any penetration testing job. With this view, nothing is better than raising your kids on honest standards, far from any suspicions.
The Moroccan Times: What are you prospective future plans? Are you working on some Projects right now?
Faouzi: Yes. Right now I am working on many projects. Two of them revolve around a new face recognition algorithm. I am also working on an auto-solver for text problems. They all yet need months of work to unfold. Though, it is worth it as when I will unveil them, they will make my daily tasks an icing on the cake.
The Moroccan Times: Thank You Faouzi for your time. Wishing you all the best for you projects as well as for your future plans. Keep up the good work.
Faouzi: My pleasure. Thank you for the invitation.
The Moroccan Times: You are welcome. Pleasure shared.
