In the post-Cambridge Analytica phase, Facebook appears to have worked extensively towards user data privacy. Although, even after the Cambridge Analytica incident, Facebook remained in the news for various dubious data leaks and data sharing activities, either by Facebook itself or through third-party apps.With this in mind, Facebook have now decided to track vulnerabilities in third-party apps as well. The scope of the Facebook bug bounty program now widens to include vulnerabilities leading to improper exposure of access tokens by third-party sites and apps.
Facebook Bug Bounty Now Applies For Third-Party Access Token Exposure
On September 17, 2018, Facebook announced an expansion in its bug bounty program. Earlier, the bug bounty program included reports regarding vulnerabilities in Facebook or its products including Onavo, Instagram, Internet.org, WhatsApp, etc. Now, considering the risks of data leaks from the third-party apps, the firm extends the Facebook bug bounty program. The program will now include vulnerability reports for the third-party apps and websites that result in “improper exposure of user access tokens”.
In other words, Facebook will reward a bounty for reporting flaws that potentially expose users’ Facebook data. Explaining the “access tokens” in their official announcement, Dan Gurfinkel, Facebook’s Security Engineering Manager, stated,
“Access tokens allow people to log into another app using Facebook and are uniquely generated for the specific person and app. The user decides what information the token and app can access as well as what actions can be taken. If exposed, a token can potentially be misused, based on the permissions set by the user.”
The vulnerability reports acceptable in this connection should contain POCs demonstrating exposure and/or misuse of the access tokens.
What Third-Party App Vulnerabilities Qualify For Bounty
The new scope of Facebook’s bug bounty program covers vulnerabilities resulting in exposure or access to users’ Facebook data. Facebook will not consider any other vulnerabilities in the third-party apps under this program. As explained by Facebook,
“We will only accept reports if the bug is discovered by passively viewing the data sent to or from your device while using the vulnerable app or website. You are not permitted to manipulate any request sent to the app or website from your device, or otherwise interfere with the ordinary functioning of the app or website in connection with submitting your report. For example, SQLi, XSS, open redirect, or permission-bypass vulnerabilities (such as IDOR) are strictly out of scope.”
Allegedly, Facebook has announced a $500 reward, at least, “per vulnerable app or website”. If the vulnerability report appears legit to Facebook, they will work out with the app developers to fix the flaw. Whereas, for any apps not complying with the Facebook’s patch request will face suspension and a security review.
Besides, Facebook urges the third-party app developers to stay vigilant regarding the technical appropriateness of the apps.
“We would like to emphasize that our bug bounty program does not replace the obligations on app developers to maintain appropriate technical and organizational measures to protect personal data.”
Facebook still faces troubles time and again over the Cambridge Analytica scandal. Hence, the present step seems much needed. Not to forget Facebook banned an app “MyPersonality” just a month ago for mishandling users’ data. While, around three months ago, another popular Facebook app called “NameTests” was similarly afflicted. Let’s hope the present step might help in reducing such data breaches at Facebook.