When a hack-a-thon denied this 15-year-old’s application, he found a security flaw on their website — and was then invited to attend

Westborough High School student Theo Bleier.
Westborough High School student Theo Bleier.Lachlan Campbell/MAHACKS

When 15-year-old Theo Bleier’s application to Hack the North, Canada’s largest hack-a-thon, was rejected recently, he didn’t just call it quits and wallow in self-pity.

Instead, the Westborough High School sophomore logged onto his computer and got to work trying to find a way into the event for budding student programmers.

But his key to entry wasn’t a plea to the organizers to reconsider — it was through a backdoor. Bleier, who has a voracious appetite for technology, accessed data related to his admission status on the event’s website, reverse-engineered the code, and then sifted through the information carefully over the course of two hours to pinpoint a security flaw.


After discovering a discrepancy, which allowed him to see how his application was graded and who had graded it, Bleier reached out to organizers to alert them to what he’d found.

So impressed were developers by his ability to highlight the hiccup, and his method of flagging it for them (a very polite e-mail), that it earned Bleier a personal invite to this weekend’s gathering, a first-of-its-kind reversal of their earlier decision.

“The development team said we should maybe consider accepting him. It’s not something that we normally entertain at all,” said Corbin McElhanney, codirector of Hack the North. “The difference here was twofold: he was so respectful in how he disclosed this information to us, and the incredible amount of knowledge, passion, perseverance, and grit that this kid from Boston was able to show by pushing the limits and just experimenting.”

Hack the North, which kicks off this weekend, draws interested students from around the globe who pine for a chance to participate in the prestigious gathering.

The hack-a-thon — now in its sixth year — is being held at the University of Waterloo in Ontario, Canada, a school that some have called the Canadian version of the Massachusetts Institute of Technology.


The event has attracted tech behemoth sponsors such as Google, Quora, Facebook, and Microsoft, school officials say. This year’s keynote speaker is Jack Dorsey, chief executive of Twitter.

For coders and programmers, being part of an experience where 1,500 hand-picked participants band together in small groups to build something innovative in 36 hours is something to be desired. Thousands apply, but only a handful get in, organizers said.

And for Bleier, who works as a junior software engineer at Hack Club, a global network of programming clubs run by high school students, it was no different.

“Hack the North is one of the biggest in North America,” he said. “I spend time going to other hack-a-thons, and none are the scale of Hack the North. That prospect is what sort of appealed to me.”

Bleier first developed a thirst for technology and computers nearly half a decade ago, after his parents purchased him an iPod. He loved the device so much, that he would tinker with it constantly. He even got into creating YouTube videos about its features.

Later, Bleier dipped his toes into the world of “Minecraft,” the popular online video game that infiltrated the computer screens of teenagers around the world. Specifically, he liked the ability to create “modifications” in the game.

“I Googled how to make a Minecraft mod, and it continued from there,” he said.


Then came websites and web apps, he said. As his interest in the world of coding grew, Bleier began attending hack-a-thon’s to grow his network of friends, and fine-tune his skill. He went to his first hack-a-thon in May last year, which he called a “life-changing experience in every way.”

Eventually, it led him to apply for Hack the North in 2018. His application was denied, but he tried again this year. Again, he didn’t get in — so he went to the application website and started to poke around.

“I found I was able to review my own review data, and who reviewed it. I found this bug,” he said. “Then I sent them an e-mail and said, ‘Hey look, here’s what I found, I haven’t shared this around a lot, I just tested it with a few friends, and I think you should know about it and fix it.’ ”

To be clear, Bleier said he didn’t do anything illegal — no illicit hacking or stealing of information from the organization took place.

“None of the things I did here were going out of the way to access or go behind a firewall. It wasn’t malicious,” he said. “I went on to look for discrepancies in their code with the intention of informing them.”

McElhanney, the event’s co-organizer, called it “a concerted effort to manipulate the system in ways it wasn’t meant to,” which in turn “allowed him to access data that our team had accidentally left available” — a move that certainly dazzled them.


“I would say impressed was the first emotion” when we found out, McElhanney said. “Is it embarrassing? Perhaps a little bit. But I’m honestly more thankful that he was able to find this and we know about it now and we learned something from it.”

He added, “[Theo’s] respectful dialogue was fantastic to see, and I think it speaks a lot to his character given this whole situation.”

Although Bleier eventually got his invite to the hacker convention, he unfortunately can’t attend this year, for personal reasons, he said.

But McElhanney said they’ve encouraged him to apply again in the future, a prospect Bleier plans on pursuing.

“It would be fantastic to get in without finding vulnerabilities,” Bleier said. “However, if I get denied again and have to do that, I’ll give it a shot.”

Steve Annear can be reached at steve.annear@globe.com. Follow him on Twitter @steveannear.