Marking 20 years
of bold journalism,
reader supported.
Opinion
Labour + Industry
Science + Tech

My Brief Career as a Facebook Bug Bounty Hunter

You, too, can poke holes in the social media giant's platform while giving up yet even more of your personal information.

Bryan Carney 12 Apr 2018TheTyee.ca

Bryan Carney is director of web production at The Tyee.
@bpcarney

Two weeks ago, I told Facebook about a vulnerability that allowed apps to gather data on the Facebook friends of someone who downloads a quiz or game - the same kind of tactic used to collect information on millions of people for Cambridge Analytica.

In fact, I informed them about three vulnerabilities and got a "bug bounty" from Facebook for one of them. It's part of the social media company's program allowing independent coders or well-meaning hackers to help find weaknesses in Facebook's software that could be exploited by malicious hackers.

But there is a very Facebookesque requirement before someone can collect a reward from them: yet more of your personal information. And it is difficult to know if bugs submitted were recognized through your efforts as a bug bounty hunter or if they were fixed by Facebook independently of the submission you made — you are required to trust a company that's under intense public scrutiny, including this week before the U.S. Congress.

Facebook's "white hat" program is designed to encourage coders who find vulnerabilities to turn them in and earn cash rather than sell them to say, media strategist and former White House staffer Steve Bannon, who is not ordinarily portrayed in white or hats.

The bug bounty style of program has worked so well for companies like Apple, for instance, that it's almost impossible to "jailbreak" - basically install software unapproved by Apple to the devices - the most recent iPhones. Hackers who find a flaw that enables such software hacks often opt to hand it in and take the reward from Apple instead of releasing it to the public, where they might get street cred and perhaps some less legitimate revenue.

The principle behind it is analogous to the catch-and-kill method used by Donald Trump buddy David Pecker at The National Enquirer's parent company (he's also a Postmedia board member) to shut down negative press about the president: pay the highest fee and take the vulnerability out of circulation.

Given its current situation, Facebook would probably avoid anything like another Cambridge Analytica just now. So it has a strong incentive to pay out a bug claim submitted by a white hat hacker.

Facebook offered me a reward for the smaller flaw it acknowledged - a modest sum though well above the company's minimum prize of $500 US. I was given three options to receive the payment.

One was PayPal, where I pictured handing over a percentage of the bounty to company founder Elon Musk (though he sold PayPal 16 years ago) and waiting years to spend it all on eBay.

Another was through wire transfer, which sounded like something for a James Bond villain but was neither instant nor online-friendly.

And then there was cryptocurrency - or BitCoin, specifically, which has much more contemporary elite criminal associations.

The Bitcoin option is particularly amenable to "white hat" programs because it should theoretically offer a bounty claimant some anonymity - one of the major reasons to use crypto funds. A hacker might prefer not to attract attention to their skills, for instance, which may blow their cover and methods in other investigations.

But this is still Facebook. Elite hacker or not, if you want to be paid in untraceable bit-based currency (whose value changes along with entire fortunes each time a well-known crypto-bro tweets their dreams about the future), you're going to have to shell out all that Facebook has ever wanted from you: your personal information.

Facebook referred me to third-party code-for-cash system provider Bugcrowd. And Bugcrowd let me know I wasn't getting a single "bit" of my coin without filling out a W-8BEN tax form with my full legal and verifiable name, phone and address. The Bugcrowd rep did at least briefly break character in an email and acknowledge the irony so that I would get on with it, which I did.

On top of this, if you want to submit a bug, the first thing you'll be asked is to sign in with your Facebook login. Not a tough one to work around with a fake new Facebook account, but you can probably safely bet your account will get a mild perusal by somebody with a little more power on the platform than a survey or game app.

By the next morning, I was assured I would have whatever the sum's equivalency in Bitcoin was now trading at, sitting in a digital wallet so that I could spend my days agonizing over what point in the roller coaster to cash it in.

I awoke to the news I had already lost a good chunk of value from the tail end of a six per cent drop from the day before.

My own fault for choosing the volatile currency.

Meanwhile, Facebook said the largest vulnerability I submitted did not need fixing. But it turns out that same vulnerability was hastily fixed 11 days after I wrote about it for The Tyee.

Facebook's fix was done using a "breaking changes " release, meaning the sudden change would break any apps that relied on the functionality, causing headaches for app developers and Facebook.

This suggests Facebook either strategically denied the vulnerability in their response to me while it made plans to fix it or it failed to see the significance at the time of reporting and later made the change independently of my reporting it to them.

By contrast, when Facebook changed the original friends list that enabled Cambridge Analytica's app to amass a database, it gave the app developers a year to change their code during which it could still use the lists.

"We addressed one issue based on the report, however the other issue reported could only collect public content, which is not in scope for a reward," said a Facebook spokesperson.

The vulnerability I identified is this: until April 4, apps could officially still get the names and profile pictures of your "taggable friends" (usually nearly all of them because few Facebook users turn this option off) without the friend's consent. The app owners could use your friend's name and images to collect public data on them and tie to what they already know about you.

The company said it did not have the numbers when asked how many apps had the ability to get "taggable friends" when it suddenly closed the ability. I also asked how many users the apps had and how many taggable friends these users had.

Facebook recently revealed that "malicious actors" used public search tools with no special permissions or access to fetch information about users. These actors used email or phone numbers obtained through identity theft or other leaks as a starting point to target large lists of individuals using the search tool, which enabled the stolen identities to be linked to their public Facebook profiles.

The vulnerability The Tyee presented was the same, except it relied on the friends list Facebook itself was still providing as a starting point, instead of an external list of names.

The search tool that the Tyee pointed out seems to have been shut down completely now though Facebook said it "should now be changed to be consistent with the other endpoints" on the platform.

Facebook did not offer an explanation for this additional change.

Until April 4, Facebook was still allowing apps to collect the names of users' friends without their consent. Further data on them was then better collected outside the app itself and perhaps from many different computers, making it difficult if not impossible to detect.

Until this scrutiny, these systems were all designed not to restrict but to facilitate data collection. Because of this, there may still more than a few bucks to be made by even unsophisticated coders who want to poke a few holes in Facebook's various systems and find and report vulnerabilities.

That's as long as the coders trust Facebook will acknowledge any new flaws handed over and don't mind having a few more data points created in the company's files about them.  [Tyee]

  • Share:

Facts matter. Get The Tyee's in-depth journalism delivered to your inbox for free

Tyee Commenting Guidelines

Comments that violate guidelines risk being deleted, and violations may result in a temporary or permanent user ban. Maintain the spirit of good conversation to stay in the discussion.
*Please note The Tyee is not a forum for spreading misinformation about COVID-19, denying its existence or minimizing its risk to public health.

Do:

  • Be thoughtful about how your words may affect the communities you are addressing. Language matters
  • Challenge arguments, not commenters
  • Flag trolls and guideline violations
  • Treat all with respect and curiosity, learn from differences of opinion
  • Verify facts, debunk rumours, point out logical fallacies
  • Add context and background
  • Note typos and reporting blind spots
  • Stay on topic

Do not:

  • Use sexist, classist, racist, homophobic or transphobic language
  • Ridicule, misgender, bully, threaten, name call, troll or wish harm on others
  • Personally attack authors or contributors
  • Spread misinformation or perpetuate conspiracies
  • Libel, defame or publish falsehoods
  • Attempt to guess other commenters’ real-life identities
  • Post links without providing context

LATEST STORIES

The Barometer

Do You Think Naheed Nenshi Will Win the Alberta NDP Leadership Race?

Take this week's poll