Back in 2009 I found a major security exploit on both Facebook and the than popular MySpace which exposed access to a user's personal data. I reported both data leaks to the social networks, and weeks passed as I had to convince them of the major hole they left in their security. Reluctantly the leaks were closed after details appeared on Reddit's homepage. MySpace's PR quickly denied there was an issue at all (luckily a well-regarded TechCrunch reporter could confirm my Proof of Concept did work) and Facebook proposed to send me a t-shirt as thank you (which I never retrieved).

Since, website security has shown to never become fool-proof, leading to privacy breach news stories, diminishing user's trust in handing over their personal details and content. To counter act these security breaches (and the media exposure that comes with it) most internet giants (Facebook, Paypal, Google, Twitter, Github) have setup a so called whitehat security researcher program which allows for whitehat hackers to report security leaks for it to be patched and closed ("responsible disclosure"). In exchange of the disclosure and not actually exploiting the issue, there will no prosecution (!) and a finders bounty as reward. An idea initially developed in the software industry, due to a growing black market of parties buying exploits to setup botnets and whatnot detailed in this interesting The Economist article.

Facebook initiated such a program in 2011. This year, Facebook already lists 65 people who reported a confirmed vulnerability, which Facebook defines as "[a vulnerability] that could compromise the integrity of Facebook user data, circumvent the privacy protections of Facebook user data, or enable access to a system within the Facebook infrastructure". In other words, which puts user privacy at risk. For example the researchers Nir Goldshlager, Homakov and Isciurus are all filling up their own blogs detailing their numerous security exploit findings on Facebook and have become well known on the YC news homepage.

Actually, 66 people reported a vulnerability in 2013

Given my experience in 2009 (still not a proud owner of a Facebook t-shirt) and intrigued by the bold sentence on Facebook's security researcher page "There is no maximum reward" I went out and started giving Facebook's code another peak. Tracking several Facebook developer plugins, I stumbled upon a interesting Flash file used by Facebook which serves as proxy for communicating data between domains (to work around Cross-domain browser limitations). For me a clear sign to keep digging. A few hours later, by jumping a few hoops using cleverness, juggling subdomains around, and walking around a regex, I was able to load any user data or content using the user's own Facebook session, as shown in this proof of concept video: http://www.screenr.com/SWi7 [2m11]. In the video I pull in a user's private email addresses, but it could also easily access any content, including items tagged with the privacy restriction "Only Me". Yikes!

My excitement of the discovery was obviously high, given my exploit completely exposed, just like in 2009, a complete Facebook user account.

Facebook's bounty

Facebook holds an unprecedented amount of personal data and content in quantity as well as in quality, which can't be compared to any other (online) entity. There lays also one of their biggest operational risks. After finding the leak, I disclosed the details to Facebook's security team. After confirmation, my disclosure of the exploit accessing a user's account was awarded with the bounty of... $4,500. A nice day's pay, but a paltry fee for pointing out a gaping hole in the security of a social network holding the personal data of over a billion people. Without the disclosure of whitehat hackers, like I did, these exploits can also become available to dubious parties who could wreak (digital) havoc. An example could be an rogue ad network who would love to harvest and tie in the users Facebook identity for ad targeting. Facebook's PR reaction on these exploits is usualy that they haven't seen actual usage "in the wild", but obviously if it would be abused, it would be in silence (while also penal).

Even aside from whether the discovery & disclosure is worth only USD 4,500, if you hold that against the continuous struggle Facebook has with privacy of its users, the costs of its thousands highly skilled employees, and the real implications of exposing user's data to actual dubious parties, $4,500 is clearly a small sum for the help in protecting Facebook's users personal data. With 66 exploit disclosures in the past 5 months you can wonder how many exploits are found but not disclosed to Facebook, and also wonder why Facebook is so dependent on external security research & disclosure for its user data security.



Update: /r/netsec lists some more technical details if you are interested and Hacker News has an interesting discussion.

Update #2: I'm now also listed on facebook.com/whitehat.