Facebook is receiving flak from security enthusiasts for the way it has handled one of the recent vulnerability disclosers. The social juggernaut was recently made aware of multiple security holes in Instagram, the massive photo sharing network it owns, and while the company moved to plug the gaps, the rest of its actions did not find favour with everyone.
Wesley Wineberg, an independent security researcher, reported multiple vulnerabilities in Instagram to Facebook, which if exploited, allegedly gave him complete control of the service. After Wineberg informed Facebook about the vulnerabilities, the company offered him reward for disclosing one of the bugs but also contacted his employer and threatened him with legal action, according to Wineberg.
In his personal blog, Wineberg, a contract employee of security firm Synack, wrote that he found multiple vulnerabilities in Instagram Infrastructure (the tech backend) that allowed him to access the source code for the recent versions of Instagram. The vulnerabilities allegedly also allowed Wineberg to get access to SSL certificates and private keys for Instagram.com, email server credentials, keys to a handful of critical other functions including iOS and Android app signing and some that are responsible for iOS push notifications.
The vulnerabilities allegedly also allowed Wineberg to access employee accounts and passwords and find a way to Amazon buckets that consisted of user images and other data. “To say that I had gained access to basically all of Instagram’s secret key material would probably be a fair statement. With the keys I obtained, I could now easily impersonate Instagram, or impersonate any valid user or staff member,” Winberg wrote in a blog post.
“While out of scope, I would have easily been able to gain full access to any user’s account, private pictures and data. It is unclear how easy it would be to use the information I gained to then compromise the underlying servers, but it definitely opened up a lot of opportunities.” he added.
Winberg reported the vulnerabilities to Facebook in three folds between October 21 and December 1. For the first disclosure, Facebook granted Wineberg a sum of $2,500 (roughly Rs. 166,000). The second and third disclosures, however, weren’t met with any cash rewards. Instead, Wineberg wrote, Alex Stamos, Facebook Chief Security Officer got in touch with Synack CEO Jay Kaplan and said that the vulnerabilities reported by Wineberg were trivial and of “little value”. Stamos added “that he did not want to have to get Facebook’s legal team involved, but that he wasn’t sure if this was something he needed to go to law enforcement over,” according to Wineberg.
Wineberg also says that Stamos demanded that he did not make any vulnerabilities public, delete all data retrieved from Instagram systems and confirm that he hadn’t accessed any user data. “Despite all efforts to follow Facebook’s rules, I was now being threatened with legal and criminal charges, and it was all being done against my employer,” Wineberg wrote.
Stamos in a public note posted on Facebook titled Bug Bounty Ethics has referred to Wineberg’s exfiltration of user and system data as an unethical action. Stamos also noted that Wineberg was not happy with the sum Facebook was offering him as part of the bug bounty program and that he had threatened to write about the keys and other data to the public.
“I told Jay that we couldn’t allow Wes to set a precedent that anybody can exfiltrate unnecessary amounts of data and call it a part of legitimate bug research, and that I wanted to keep this out of the hands of the lawyers on both sides,” Stamos wrote. “I did not threaten legal action against Synack or Wes nor did I ask for Wes to be fired. I did say that Wes’s behaviour reflected poorly on him and on Synack, and that it was in our common best interests to focus on the legitimate RCE report and not the unnecessary pivot into S3 and downloading of data.”
In the comments of the post, Stamos has also made it clear that the company does not expect and allow a researcher to download an arbitrary amount of data as part of the bug disclosures. The incident, as many users point out, has laid bare on how unclear Facebook Bug Bounty Program’s terms and conditions are.
“I’m not quite sure what your definition of ‘ethical’ is – If you want bugs reported immediately and all further investigation stopped immediately SAY SO EXPLICITLY. Otherwise some non-destructive poking around once you’ve found a hole to see how deep it actually goes is pretty much fair game within the boundaries you’ve laid out,” a user wrote.
“Personally, I sympathise more with the penetration tester, but I think there’s no simple answer here. This is just another edge case in the eternal conflict between hackers and suits. Managers want to feel like they control what’s happening on their networks, and hackers want to blast through every barrier, defying that control. Bug bounties attempt to bridge that gap, but obviously in this case, there was a disagreement about how far was ‘too far,’ Sam Bowne, Computer Networking and Ethical Hacking faculty at City College, San Francisco told Gadgets 360.
“Other recent edge cases also show the two sides: is it OK to hack into the controls of an aircraft in flight? How about hacking into a car while it’s driving on a public street? How about taking a prototype self-driving car out on the freeway? If we block all these things, we stifle innovation, but if we allow them all, we endanger innocents. These disputes are how we search for the middle ground.”
Announced in 2011, Facebook Bug Bounty Program offers a minimum of $500 (roughly Rs. 34,000) to anyone who reports security vulnerabilities on Facebook website. The lines as to if a researcher could test the level of damage a vulnerability could do has never been clear.
Several security enthusiasts aren’t happy with Facebook’s approach.
“Really feel this was not the correct response. Everything seemed reasonable apart from contacting the employer as if Wes is some sort of child,” a user noted.
Some users on Reddit believe that Facebook’s actions have set a precedent that would steer researchers away from reporting anything to them.
“This is ridiculous. You can be sure the next time someone finds such a vulnerability they will sell it on the blackout markets,” a user wrote. “Moral of the story: If you find a vulnerability big enough to be potentially worth 4 figures or more, sell it to a 3rd party,” another user chimed in.