Facebook Broadens Its Bug Bounty to Include Third-Party Apps
Credit to Author: Lily Hay Newman| Date: Mon, 17 Sep 2018 15:00:00 +0000
Facebook was a relatively early proponent of so-called bug bounties, paying out more than $6 million to security researchers who have spotted vulnerabilities in its platform since its program launched in 2011. But as the social network has faced a series of high profile and impactful controversies, its bug bounty increasingly doubles as an opportunity for Facebook to demonstrate maturation. That trend continues Monday, with the company's latest expansion.
Facebook will now accept reports about not just about vulnerabilities in its own products, but in third-party apps and services that connect to Facebook user accounts. Third-party interactions create user risk on the social network, since Facebook vets but doesn't develop the outside apps and can't ensure their integrity as thoroughly as it can its own platform. Users are also responsible for managing the permissions of third-party apps, which can be a confusing and opaque process.
The bounty expansion will specifically focus on third-party bugs that relate to exposure of "user access tokens," the credential that allows apps to interface with Facebook accounts, and that could be exploited to gain inappropriate types of access. For example, researchers have found things like personality quiz services, and JavaScript components in apps, that invasively track user data or pilfer information.
"This is part of our ongoing efforts to improve the security and privacy of people who use Facebook," Dan Gurfinkel, security engineering manager at Facebook, wrote in a blog post announcing the incentive Monday. "We want researchers to have a clear channel to report these important issues when they find them, and we want to do our part to protect people's information, even if the source of a bug is not in our direct control."
In April, as the Cambridge Analytica data misuse scandal ratcheted up, Facebook added a data abuse component to its bug bounty that opened the program to submissions related to data mishandling by developers. By now including third-party apps, Facebook shows its awareness of the additional security and privacy risks that can come from external service integrations. An app that doesn't manage access tokens properly could gain insecure access itself, or even be quietly exploited by hackers as a sort of side door into Facebook user accounts.
Facebook says it will only accept submissions in which a researcher discovered a bug by passively using a third-party service, and noticing it sending data improperly to or from their device. "You are not permitted to manipulate any request sent to the app or website from your device," Gurfinkel writes. This means that certain common—and potentially severe—types of vulnerabilities, like authorization bypass and unvalidated redirect bugs that hackers can use to get around authentication requirements, are out of scope.
'We want to do our part to protect people's information, even if the source of a bug is not in our direct control.'
Dan Gurfinkel, Facebook
Companies generally put limits on bug bounties as a safety precaution, and to avoid encouraging illegal or malicious behavior. But when asked about how it would handle submissions discovered through more invasive means, Gurfinkel said Facebook would handle these situations case by case. "If the third-party app permits active testing through a developer's bug bounty program or another arrangement, then the researcher can report the vulnerability to that company," says Gurfinkel. "It is the researcher's responsibility to ensure their tests don't violate the app's terms or applicable laws."
Facebook says that as part of this bug bounty expansion, it will take on the responsibility of liaising with third-party developers to help resolve their bugs. "If we confirm access tokens are being leaked, we will work with the app or website developer to fix their code," Gurfinkel writes. "Apps that do not comply with our request promptly will be suspended from our platform until the issue has been addressed and a security review has been conducted. We will also automatically revoke access tokens that could have been compromised to prevent potential misuse, and alert those we believe to be affected, as appropriate."
Facebook will award a minimum of $500 for accepted bugs, and says that there is no upper limit for a maximum reward, the amount if calculated based on the importance and severity of a bug. In 2017 the platform's bug bounty paid out an average of $1,900 per bug, with some individual rewards in the tens of thousands of dollars.
Facebook insists that the expansion is not a way to lessen its own responsibility to vet third-party apps, but rather a way to encourage and expand community feedback. "Like any bug bounty program, this is an additional way to reward researchers for important security work," Gurfinkel told WIRED. "It is not a replacement for any internal processes focused on protecting people's information or reducing the frequency of vulnerabilities."
Facebook users have faced repeated exposure from rogue or buggy third-party apps. This latest bug bounty expansion will likely be a welcome, if belated, acknowledgement of a problem the privacy and security communities have warned about for years.