Tech companies, like Apple and Facebook, actually pay people who are able to locate and then report on bugs found within their software. Recently, Facebook paid a security researcher $2,500 for information on a bug that took him less than 3 minutes to discover without any testing or proof of concept. The vulnerability was exposing details of Facebook page administrators through a new feature that Facebook was testing. In his report, security researcher Mohamed Baset says that he received an email from Facebook, inviting him to like a page that he had previously visited and liked a post on.
Here’s the interesting thing was that he hadn’t liked the page itself, but through this Facebook feature, it was enabling page administrators to target visitors who had interacted with any of their page content. Here’s another interesting thing. A simple “show original” on the email invitation allowed Baset to see that Facebook was actually exposing page administrator’s details. Once he looked at the email’s source code, he noticed that it included the name along with some other details of the page administrator. This bug isn’t huge, and can’t likely have a devastating outcome. But the fact that it’s happening suggests that there are likely more of these kinds of small errors.
Facebook informed Baset that he would be receiving $2,500 for this information, which only took a couple of minutes for him to discover. The scary part about this is that Baset’s discovery indicates that hackers don’t really even need technical skills anymore. All you need is the ability to look for the right information and then figure out what the problem is. Facebook continues to attract much of the white hat hacking community. In fact, they recently paid out over $880,000 in bug bounties last year, bringing their total rewards to over $6,300,000.
Facebook’s Security Page states:
Our Whitehat program continues to be a great way to promote quality security research and make Facebook more secure. We’re thrilled to have awarded over $1.5M in rewards to contributors who have taken time to report bugs and help us fix them.
At the same time, we know online security is complex and often relies upon the interaction between lots of different components—many of them outside the code we produce. That’s why a group of experts from the bug bounty world came together today to create the Internet Bug Bounty program. This new initiative will reward and encourage security research that benefits anyone on the web—it’s focused on the types of vulnerabilities that have a big impact but that might otherwise fall through the cracks.
I think this is a great idea. It takes some of the cloak and dagger aspects of the hacking industry out of it, in a way that is promoting the benefits of these hackers. Hence the term “white hat”. But I also think that it demonstrates to the world that while Facebook is great at what they do, they’re not perfect. Maybe some people want perfect social networking platforms, but at the same time, it humanizes them in a way that we don’t often get to see. They are acknowledging their mistakes and reimbursing people for pointing those out. There is only so much they can do when it comes to testing and I suspect some of the greatest testers out there are these white hat hackers. So by all means – reimburse them for finding these errors.