Despite its best damage-control efforts, Facebook is still dogged by its checkered past on data privacy. But at least some of the security mechanisms the company has put in place are catching problems—and helping them get fixed.
Facebook said on Friday that in its bug bounty saw its largest number of accepted bugs since the program launched nine years ago, paid out its highest single reward ever, and began inviting select researchers to evaluate new features before they launched.
Facebook has consistently expanded its bug bounty over the past few years, adding extra incentives and extending its scope to reward researchers for submitting bugs in other applications' code that impact Facebook's platform or users. Bug bounties aren't a panacea. But Facebook's has been rewarding bug hunters for important work, including a finding that impacted up to 9.
In October, researchers from Indiana University led by Luyi Xing reported an issue related to third-party software-development kits that developers had incorporated into various Android and iOS mobile apps.
As first reported in November, these packaged development tools were siphoning data from users including their names, gender identifications, and email addresses. The rogue SDKs could also lift some Facebook account data from apps that let people log in with their Facebook credentials.
The researchers also submitted the findings to Twitter, because the same issue could occur if users accessed the app through the social network's "Log in with Twitter" feature.
When Facebook receives a bug report about a third-party issue, it's harder for the company to assess what's really going on, because the flaw isn't in its own code base. But without such submissions, a data abuse flaw so many steps removed from Facebook itself would be tough to catch. What we did in this case was to reverse-engineer both examples of the SDK and the apps to understand exactly what is the nature of this malicious SDK and what is it doing.
Twitter disclosed in November that the bug exposed data of hundreds of users, a relatively small number, and that the company individually notified them.
But Facebook notified around 9. Both companies blocked apps incorporating the malicious SDKs from using their login frameworks and encouraged their users to check the lists of apps with permission to access their Facebook and Twitter accounts. Facebook also says that it now monitors apps in Apple's App Store and Google Play to block its login mechanism from being used in any new app that contains SDKs with similar malicious traits.
Facebook and Twitter also collaborated with Google and Apple on remediation efforts, and the Indiana University researchers won an additional bug bounty award from Google for their findings. Facebook received roughly 15, bug reports inoffering awards for 1, of them—up from in As a side project of the bug bounty inFacebook selected outside researchers to vet Facebook Dating, Checkout on Instagram, and the redesign codenamed FB5 before the features launched worldwide.
As software companies race to combat security incidents and the blowback they invite, bug bounties have become an increasingly popular way to show dedication to improving security and privacy. Facebook's program is one of the oldest, but it hasn't given out rewards as high as competitors such as Apple —though Apple only launched its bounty in And while these programs raise awareness and may act as motivation for some researchers, others emphasize that their work is ultimately not about the reward.
She previously worked as a technology reporter at Slate magazine and was the staff writer for Future Tense, a publication and project of Slate, the New America Foundation, and Arizona State University. Read more. Senior Writer Twitter. Featured Video. As an offensive security engineer, Amanda has seen just about everything when it comes computer hacking.
What exactly is the difference between a black hat and a white hat hacker? Is there such thing as a red hat hacker? What's the point of malware, is it just to be annoying? Amanda answers all these Twitter questions, and much more!A little more than two years ago, we launched a Bug Bounty program to reward the security researchers who report issues to us, and to encourage more people to help us keep Facebook safe and secure. This early progress is really encouraging, in no small part because programs like these can have a significant impact on our ability to keep Facebook secure.
After all, no matter how much we invest in security -- and we invest a lot -- we'll never have all the world's smartest people on our team and we'll never be able to think of all the different ways a system as complex as ours might be vulnerable.
Our Bug Bounty program allows us to harness the talent and perspective of people from all kinds of backgrounds, from all around the world. The bugs we've been able to fix because of the program have varied widely in type and impact. Here's one example, involving Facebook Groups:.
Facebook, Under Scrutiny, Pays Out Largest Bug Bounty Yet
If the membership of a Facebook Group drops to one member, and that member is not an admin, our system will offer the admin role to that member so he or she can invite more members, preserve the content in that Group, or shut down the Group if it's no longer needed. Totally independent of this, Facebook allows users to block one another for safety and privacy reasons. Blocking limits someone else from being able to see things you post on your Timeline and prevents them from starting conversation with you.
Blocking is a powerful action, so the check for users being blocked happens before any of the Group checks. Together, these two policies meant a malicious user could theoretically take over a Group by joining it and then blocking every other user in the Group, which would in turn trigger the Group to promote the malicious user to admin. As the program continues to expand, we wanted to shed more light on the general criteria we use to determine the amount to pay researchers when they submit a bug.
We base these decisions on four primary factors: impact, quality of communication, target, and secondary damage. We are very happy with our progress so far, and we want to thank everyone who has participated -- you are the reason this works.
Jump to. Sections of this page. Accessibility help. Join or log in to Facebook. Email or phone. Forgotten account? Sign Up.
Some are professional researchers; others are students or part-timers. The youngest bounty recipient to date is 13 years old. These researchers are spread across 51 different countries.
There is no cap on the size of bounties in our program. Two recipients have since taken full-time jobs with the Facebook security team. Bugs of all shapes and sizes The bugs we've been able to fix because of the program have varied widely in type and impact.
Impact, communication, target, secondary damage As the program continues to expand, we wanted to shed more light on the general criteria we use to determine the amount to pay researchers when they submit a bug.
Impact: Would this bug allow someone to access private Facebook data? Delete Facebook data? Modify an account?Facebook Bug Bounty 2019 -- Facebook Creator Session Bypass
For example, an open redirect is worth less than an XSS, and an XSS that requires user interaction is worth less than one that doesn't. Ease of exploitation plays into impact as well. Ultimately we pay these bounties to protect Facebook users, so the more users it could affect and the more damage it could do, the higher the impact.Jump to. Sections of this page. Accessibility help. Join or log in to Facebook. Email or phone. Forgotten account? Sign Up. Facebook recognises the value external security researchers can bring to the security of Facebook systems, and we welcome and seek to reward eligible contributions from security researchers, as outlined below.
If you believe that you have found a security vulnerability on Facebook or on another member of the Facebook family of companieswe encourage you to let us know straight away.
We will investigate all legitimate reports and do our best to quickly fix the problem. Before reporting, though, please review this page, including our responsible disclosure policy, reward guidelines and scope of the programme.
If you are looking to report another type of issue, please use the links below for assistance. In order for you to participate in the programme, we require that: You do not interact with an individual account which includes modifying or accessing data from the account without the account owner's explicit consent in writing, which you must produce upon request. You make a good faith effort to avoid privacy violations and disruptions to others, including but not limited to unauthorised access to or destruction of data, and interruption or degradation of our services.
You must not intentionally violate any applicable laws or regulations, including but not limited to laws and regulations prohibiting the unauthorised access to data. If you inadvertently access another person's data or Facebook company data without authorisation while investigating an issue, you must promptly cease any activity that might result in further access of user or Facebook company data and notify Facebook which information was accessed including a full description of the contents of the information and then immediately delete the information from your system.
Continuing to access another person's data or company data may demonstrate a lack of good faith and disqualify you from any benefit of the Safe Harbor Provisions described below. You must also acknowledge the inadvertent access in any related bug bounty report you may subsequently submit. You may not share the inadvertently accessed information with anyone else. You do not exploit a security issue you discover for any reason other than for testing purposes, and you do not conduct testing outside your own account, a test account or another account for which you have the explicit written consent of the account owner to test.
This includes demonstrating additional risk, such as the risk that the security issue could be used to compromise sensitive company data or another user's account. You give us reasonable time to investigate and mitigate an issue you report before publicly disclosing any information about the report or sharing such information with others.
We consider these terms to provide you authorisation, including under the Computer Fraud and Abuse Act CFAAto test the security of the products and systems identified as in-scope below. These terms do not give you authorisation to intentionally access company data or data from another person's account without their express consent, including but not limited to personally identifiable information or data relating to an identified or identifiable natural person.
If Facebook determines, at its sole discretion, that you have complied in all respects with these Bug Bounty Programme Terms in reporting a security issue to Facebook, we will not initiate a complaint to law enforcement or pursue a civil action against you, to include civil actions under the CFAA in connection with the research underlying your report and DMCA claims against you for circumventing the technological measures we have used to protect the applications in scope.
Facebook will also not pursue legal action against you for clear accidental or good faith violations of its policy or these terms. Your use of Facebook services and the services of any member of the Facebook family of companies, including for purposes of this programme, remains subject to Facebook's Terms and Policies and the terms and policies of any member of the Facebook family of companies whose services you use.
To the extent activities authorised by these Bug Bounty Programme Terms are inconsistent with other terms of service for in-scope Facebook companies and products, we waive those restrictions for the limited purpose of permitting security research under this policy. If legal action is initiated by a third party against you for conduct that Facebook determines to have complied with these Bug Bounty Programme Terms, Facebook will take steps to make it known, either to the public or the court, that your actions were authorised under this programme.As a result, it's helpful to use an intercepting proxy to determine the actual endpoints that are hit.
Narrowing down the endpoint is a very important step. The example repro above is fairly straightforward, but issues aren't always that simple. Because finding bugs without source code is hard, you will be forced to make assumptions about how things work behind the scenes. Don't worry, that's ok! Just work to isolate the parts of the reproduction instructions that matter.
Part 3: Describe the impact Describing the impact of a bug means saying what is broken and how bad it is. Another way to look at this is to say what can be done that shouldn't normally be possible. It's tempting to theorize in this way, but stick to what you know is possible. If you have a specific reason to believe there might be other ways to exploit the bug, please explain why you think that's the case as clearly as you can.
Part 4: Optional, supplementary sections Videos can occasionally help your submission, but please keep any video content short and be sure to keep it private when you upload it otherwise you may accidentally forfeit your bounty, since a public video could lead to public disclosure before the bug is fixed. If you are reporting a bug on a mobile app or similar, it can be helpful to include the version information.
Additionally, a complete report will often include not only the bug but also a recommended fix. Even if you are not sure how to fix a bug, spending time thinking about how we would fix it can lead to greater understanding of the issue on both sides. Ask yourself: is this an issue at all?
Sometimes Whitehat reporters aren't clear about the intended behavior for a function on the site—for example, we've received a number of reports related to the ability for someone to save another person's profile photo.
In these cases, it can be helpful to look through the Facebook Help Center for information about how our site and tools work. It turns out that being able to see another person's profile photo is not a security bug because current profile photos are public. What's the best way to test? If you absolutely cannot test with a Whitehat test account, the next best option is to get permission from a friend to test using their account.
Please don't test your issue in a disruptive or malicious manner; we've unfortunately had to refuse payments in the past for this reason. When we receive a report, we may ask questions of you that seem really basic or obvious.
Please be patient—our goal is to better narrow down the potential bug so that we can reproduce it as quickly as possible.
How does Facebook reward bugs?
Facebook's Bug Bounty Caught a Data-Stealing Spree
The biggest factor in our decisions about reward amounts is impact.Hacking is here for good, for the good of all of us. More Fortune and Forbes Global 1, companies trust HackerOne to test and secure the applications they depend on to run their business.
From implementing the basics of a vulnerability disclosure process to supercharging your existing security programs via a bug bounty program, HackerOne has you covered. Ensure bugs found by security researchers, ethical hackers, or other external parties reach the right people in your organization. Capture the intelligence of our trusted community in a time-bound program that consistently outperforms traditional penetration testing.
Facebook, Under Scrutiny, Pays Out Largest Bug Bounty Yet
Find out what makes our white hat hackers tick, why they do what they do, and how they benefit from bug bounty programs. Download the Hacker Report. Peter Yaworski is the author of Web Hackingis a full-time appsec engineer and part-time bug hunter.
Hack for Good Hacking is here for good, for the good of all of us. Get Started Learn More.
Register Now. HackerOne Solutions From implementing the basics of a vulnerability disclosure process to supercharging your existing security programs via a bug bounty program, HackerOne has you covered. Establish a compliant process for receiving and acting on vulnerabilities discovered by third-parties Ensure bugs found by security researchers, ethical hackers, or other external parties reach the right people in your organization.
Improve your Pen Test results with a project-based vulnerability assessment program Capture the intelligence of our trusted community in a time-bound program that consistently outperforms traditional penetration testing.
In Their Words Hackers have become an essential part of our security ecosystem.But as the social network has faced a series of high profile and impactful controversiesits bug bounty increasingly doubles as an opportunity for Facebook to demonstrate maturation. That trend continues Monday, with the company's latest expansion. Facebook will now accept reports about not just about vulnerabilities in its own products, but in third-party apps and services that connect to Facebook user accounts.
Third-party interactions create user risk on the social network, since Facebook vets but doesn't develop the outside apps and can't ensure their integrity as thoroughly as it can its own platform. Users are also responsible for managing the permissions of third-party apps, which can be a confusing and opaque process. The bounty expansion will specifically focus on third-party bugs that relate to exposure of "user access tokens," the credential that allows apps to interface with Facebook accounts, and that could be exploited to gain inappropriate types of access.
By now including third-party apps, Facebook shows its awareness of the additional security and privacy risks that can come from external service integrations. An app that doesn't manage access tokens properly could gain insecure access itself, or even be quietly exploited by hackers as a sort of side door into Facebook user accounts. Facebook says it will only accept submissions in which a researcher discovered a bug by passively using a third-party service, and noticing it sending data improperly to or from their device.
Hack for Good
This means that certain common—and potentially severe—types of vulnerabilities, like authorization bypass and unvalidated redirect bugs that hackers can use to get around authentication requirements, are out of scope.
Companies generally put limits on bug bounties as a safety precaution, and to avoid encouraging illegal or malicious behavior. But when asked about how it would handle submissions discovered through more invasive means, Gurfinkel said Facebook would handle these situations case by case.
Facebook says that as part of this bug bounty expansion, it will take on the responsibility of liaising with third-party developers to help resolve their bugs. We will also automatically revoke access tokens that could have been compromised to prevent potential misuse, and alert those we believe to be affected, as appropriate. Facebook insists that the expansion is not a way to lessen its own responsibility to vet third-party apps, but rather a way to encourage and expand community feedback.
Facebook users have faced repeated exposure from rogue or buggy third-party apps. This latest bug bounty expansion will likely be a welcome, if belated, acknowledgement of a problem the privacy and security communities have warned about for years.
She previously worked as a technology reporter at Slate magazine and was the staff writer for Future Tense, a publication and project of Slate, the New America Foundation, and Arizona State University.
Read more. Senior Writer Twitter. Featured Video. The only way to be truly secure on Facebook is to delete your account. But that's crazy talk! Here's how to lock down your privacy and security and bonus, keep targeted ads at bay. Topics bug bounty Bugs Facebook hacking cybersecurity.This has not been Facebook's proudest year for privacy and security. The company faced the massive Cambridge Analytica data misuse and abuse scandal in April and beyond.
It also disclosed its first data breach in October, which compromised information from 30 million accounts. But Facebook has at least one security-focused bright spot it can point to in its bug bounty. Bug bounties are programs that let security researchers submit potential flaws and vulnerabilities in a company's software. Anyone can send a report and, perhaps, receive a reward for helping lock down a company's systems. Welcoming bug reports was a controversial practice for decades, but Facebook's program, which launched inis one of the oldest and most mature in the industry.
The bug that garnered this windfall was in Facebook's developer subscription mechanism for notifications on certain types of user activity. Think of it as RSS for data being generated on Facebook. The researcher found that in certain situations a developer, or attacker, could have manipulated the subscriptions to receive updates that shouldn't have been authorized about certain actions and users.
For instance, a rogue developer could have gotten regular updates on who liked or commented on a specific post. The submission scored Facebook's highest bounty offering because it led to the discovery of a whole class of potential exposures that could have been misused. Among other lessons, it served as a reminder that it's important to get as many eyes as we can to evaluate and test our code.
The bug bounty program is an important part of this work, and that's why we continue to develop new ways to engage researchers. As a result of the Cambridge Analytic revelations, Facebook expanded the scope of its bounty in April to include "data abuse," situations where Facebook's third-party app developers misuse the customer data they get access to. The company also began accepting bug reports about third-party apps themselves, acting as a sort of liaison for vulnerabilities that the social network can't directly fix, but that impact its users.
Both of these expansions add important nuance, and are areas that most other companies have yet to grapple with in their own bug bounties. Facebook says that in just a few months it has already begun receiving a number of high quality submissions that address those new bug categories. Luta Security consulted with Facebook on refining the data abuse expansion to articulate a subtle distinction.
Facebook wanted to make it clear that researchers shouldn't breach user data in the process of finding problems, but they should submit more nuanced types of data misuse reports whenever it was possible to document these complex interactions safely.
Striking this balance is more challenging than it may initially seem, according to Alex Rice, CTO of the bug bounty development organization HackerOne. Rice consulted on Facebook's bug bounty when it launched inand says he was impressed to see it expand to accept privacy and third-party reports this year.
The improvements to Facebook's bug bounty will hopefully give the security community, or anyone else, an expanded avenue to speak up about privacy issues and concerns they come across on the platform. And at such a massive scale, Facebook is bound to have data flow problems and misuse at times—a fact that the company doesn't seem to have really grasped until this year.
But while a bug bounty is an important tool, it definitely doesn't solve all of a company's security and privacy challenges.
For all of the positive security improvements that came out of Facebook's tumultuous year, the hardest work ahead for the company may not be fixing bugs, but rebuilding user trust.