Pages

18 December 2018

FACEBOOK, UNDER SCRUTINY, PAYS OUT LARGEST BUG BOUNTY YET


THIS HAS NOT been Facebook's proudest year for privacy and security. The company faced the massive Cambridge Analytica data misuse and abuse scandal in April and beyond. It also disclosed its first data breach in October, which compromised information from 30 million accounts. But Facebook has at least one security-focused bright spot it can point to in 2018: its bug bounty.

Bug bounties are programs that let security researchers submit potential flaws and vulnerabilities in a company's software. Anyone can send a report and, perhaps, receive a reward for helping lock down a company's systems. Welcoming bug reports was a controversial practice for decades, but Facebook's program, which launched in 2011, is one of the oldest and most mature in the industry. The bug bounty has paid out more than $7.5 million over time, including $1.1 million in 2018. And this year Facebook also paid its biggest single bounty ever, $50,000, to one of its top contributors.

The bug that garnered this windfall was in Facebook's developer subscription mechanism for notifications on certain types of user activity. Think of it as RSS for data being generated on Facebook. The researcher found that in certain situations a developer, or attacker, could have manipulated the subscriptions to receive updates that shouldn't have been authorized about certain actions and users. For instance, a rogue developer could have gotten regular updates on who liked or commented on a specific post.

The submission scored Facebook's highest bounty offering because it led to the discovery of a whole class of potential exposures that could have been misused. Of the 17,000 reports the company received in 2018, it paid a bounty on 700, with an average prize of around $1,500.

"It is not uncommon for us to receive reports about high or critical bugs from researchers," says Dan Gurfinkel, Facebook's security engineering manager. "The September security incident involved a case of three different bugs interacting with one another. Among other lessons, it served as a reminder that it's important to get as many eyes as we can to evaluate and test our code. The bug bounty program is an important part of this work, and that's why we continue to develop new ways to engage researchers."

As a result of the Cambridge Analytic revelations, Facebook expanded the scope of its bounty in April to include "data abuse," situations where Facebook's third-party app developers misuse the customer data they get access to. The company also began accepting bug reports about third-party apps themselves, acting as a sort of liaison for vulnerabilities that the social network can't directly fix, but that impact its users. Both of these expansions add important nuance, and are areas that most other companies have yet to grapple with in their own bug bounties. Facebook says that in just a few months it has already begun receiving a number of high quality submissions that address those new bug categories.

"They were very specifically trying to look for something that would be otherwise be difficult to detect via technical means," says Katie Moussouris, a bug bounty expert and founder of the firm Luta Security. "If a third party is authorized to get Facebook data in its terms of service and then is abusing the terms of service, that's very hard to detect."

Luta Security consulted with Facebook on refining the data abuse expansion to articulate a subtle distinction. Facebook wanted to make it clear that researchers shouldn't breach user data in the process of finding problems, but they should submit more nuanced types of data misuse reports whenever it was possible to document these complex interactions safely.

Striking this balance is more challenging than it may initially seem, according to Alex Rice, CTO of the bug bounty development organization HackerOne. Rice consulted on Facebook's bug bounty when it launched in 2011, and says he was impressed to see it expand to accept privacy and third-party reports this year. "The data abuse bounty program is innovative," Rice says. "It's meant to cover a blind spot in many large technology providers, but it's a challenging problem. HackerOne has two customers that are launching similar programs based on the success of Facebook’s data abuse bounty program."

The improvements to Facebook's bug bounty will hopefully give the security community, or anyone else, an expanded avenue to speak up about privacy issues and concerns they come across on the platform. And at such a massive scale, Facebook is bound to have data flow problems and misuse at times—a fact that the company doesn't seem to have really grasped until this year. But while a bug bounty is an important tool, it definitely doesn't solve all of a company's security and privacy challenges.

"As a big proponent of bug bounties, even I don’t think we can stop with them, we still need to do more," Rice says. "Anyone who positions a bounty program as a silver bullet or presents their organization as impenetrable is misleading themselves and misleading the public."

For all of the positive security improvements that came out of Facebook's tumultuous year, the hardest work ahead for the company may not be fixing bugs, but rebuilding user trust.

No comments:

Post a Comment