Facebook’s Bug Bounty Caught a Data-Stealing Spree

Despite its best damage-control efforts, Facebook is still dogged by its checkered past on data privacy. But at least some of the security mechanisms the company has put in place are catching problems—and helping them get fixed. Facebook said on Friday that in 2019 its bug bounty saw its largest number of accepted bugs since the program launched nine years ago, paid out its highest single reward ever, and began inviting select researchers to evaluate new features before they launched.

Facebook has consistently expanded its bug bounty over the past few years, adding extra incentives and extending its scope to reward researchers for submitting bugs in other applications’ code that impact Facebook’s platform or users. Bug bounties aren’t a panacea. But Facebook’s has been rewarding bug hunters for important work, including a finding that impacted up to 9.5 million of the social network’s users.

In October, researchers from Indiana University led by Luyi Xing reported an issue related to third-party software-development kits that developers had incorporated into various Android and iOS mobile apps. As first reported in November, these packaged development tools were siphoning data from users including their names, gender identifications, and email addresses. The rogue SDKs could also lift some Facebook account data from apps that let people log in with their Facebook credentials. The researchers also submitted the findings to Twitter, because the same issue could occur if users accessed the app through the social network’s “Log in with Twitter” feature.

“We are always looking for the real-world security and privacy problems, and after the Cambridge Analytica stuff, that was our motivation: to look at whether bad guys can harvest data from Facebook and third parties,” Indiana’s Xing says. “And we found that Facebook data and data from other services are prime targets of malicious attacks.”

When Facebook receives a bug report about a third-party issue, it’s harder for the company to assess what’s really going on, because the flaw isn’t in its own code base. But without such submissions, a data abuse flaw so many steps removed from Facebook itself would be tough to catch.

“This was actually a good sign to see that the bug bounty program is working as we expected it to work,” says Dan Gurfinkel, security engineering manager at Facebook. “Any report about something that is not part of our code base requires more extensive investigation. What we did in this case was to reverse-engineer both examples of the SDK and the apps to understand exactly what is the nature of this malicious SDK and what is it doing.”

Twitter disclosed in November that the bug exposed data of hundreds of users, a relatively small number, and that the company individually notified them. But Facebook notified around 9.5 million users worldwide that their data was “likely impacted” by the malicious SDKs. Both companies blocked apps incorporating the malicious SDKs from using their login frameworks and encouraged their users to check the lists of apps with permission to access their Facebook and Twitter accounts. Facebook also says that it now monitors apps in Apple’s App Store and Google Play to block its login mechanism from being used in any new app that contains SDKs with similar malicious traits. Facebook and Twitter also collaborated with Google and Apple on remediation efforts, and the Indiana University researchers won an additional bug bounty award from Google for their findings.

In 2019, Facebook awarded about $2.2 million in bounties to researchers from more than 60 countries, double the $1.1 million the company paid out in 2018. Since it launched in 2011, the program has awarded a more than $9.8 million. The largest award of 2019 was $65,000, up from a high of $50,000 in 2018, for a bug in Facebook’s own system that leaked data fragments along with certain niche error messages. The Indiana University researchers received $30,000 for their malicious SDK finding. Facebook received roughly 15,000 bug reports in 2019, offering awards for 1,300 of them—up from 700 in 2018. As a side project of the bug bounty in 2019, Facebook selected outside researchers to vet Facebook Dating, Checkout on Instagram, and the redesign codenamed FB5 before the features launched worldwide.

As software companies race to combat security incidents and the blowback they invite, bug bounties have become an increasingly popular way to show dedication to improving security and privacy. Facebook’s program is one of the oldest, but it hasn’t given out rewards as high as competitors such as Apple—though Apple only launched its bounty in 2016. And while these programs raise awareness and may act as motivation for some researchers, others emphasize that their work is ultimately not about the reward.

“After seeing what was going on with third-party abuse, we would have done this either way,” Indiana’s Xing says. “Whenever we find a security or privacy-related problem, we always find a channel to report it to the vendor, whether there is a bug bounty program or not.”

More Great WIRED Stories

Read More