Michael MacTaggertIn the wake of Facebook's breach of (more than) 50 million accounts, we're starting to get some explanations, and they are hair-raising. No group is perfect, but it's a chilling reminder of the consequences of missing things in security analyses and audits. One of the ways companies farm out this difficult labor is by offering bug bounties to white hat security researchers who point out vulnerabilities to them. Facebook's current troubles reminded Twitter user @codepaintsleep of their friend's interaction with that program.
♎@codepaintsleep
You know how some "forgot your password" links just click to log you right in? In December 2016, that applied for all links sent to a specific person from Facebook. A friend of mine saw it via forwarded link, I confirmed it, he reported it. They didn't even give him a bug bounty. twitter.com/me_irl/status/…12:09 PM - 29 Sep 2018the government man @me_irllmao. apparently the implementation of Facebook's "view as" feature (which lets you view your own profile as another user of your choice would see it, with privacy restrictions applied) involved loading that other user's private access token into your session??? https://t.co/9UJisodNkv
In December 2016, Facebook would send an automatic login email to people in certain situations. If that email got forwarded to anybody else, they would be able to click that link and receive full access to your Facebook account. A rare situation, perhaps, but a critical breach of someone's privacy if it ever did happen. @codepaintsleep's friend absolutely did the right thing by reporting the vulnerability, and they didn't even do it for the bounty at first.
However, I don't think the most cynical Facebook critic would have predicted Facebook's reason for not awarding a bounty—they said granting someone else access to your account via forwarding an email intended for yourself was "intended functionality." It was functionality so intended that Facebook patched it out and closed the vulnerability within 20 minutes of a good samaritan reporting it.
♎@codepaintsleepI have the facebook case number if anyone I follow can do something useful with that. Also our conversation at the time, although there's not much interesting in it beside my confirmation.13:22 PM - 29 Sep 2018
Obviously, this was just an excuse not to pay, and maybe it doesn't need to be anything more than a multi-billion dollar company being a skinflint. But not paying your bug bounties, especially for something like this, defeats the purpose of the program.
While Facebook is apologizing again and again for controversies, saying they've "learned a lot" from the consequences of their mistakes, always keep in mind that their business model is disregarding your privacy and that is their only intended functionality.
