A security researcher who discovered vulnerabilities in an Instagram server apparently traded barbs this week with Instagram parent Facebook’s chief security officer over whether his explorations of the system’s weaknesses went beyond ethical limits.

advertisement

advertisement

advertisement

But Facebook says that his explorations into company systems and downloads of proprietary data went beyond the program’s rules. “We are strong advocates of the security researcher community and have built positive relationships with thousands of people through our bug bounty program,” a Facebook spokesperson wrote in an email to Fast Company. “These interactions must include trust, however, and that includes reporting the details of bugs that are found and not using them to access private information in an unauthorized manner. In this case, the researcher intentionally withheld bugs and information from our team and went far beyond the guidelines of our program to pull private, non-user data from internal systems.” Photo: Flickr user Jimmy Baikovicius According to accounts by both Wineberg and Stamos, Wineberg initially discovered an Instagram server was running a Web-accessible administrative console with vulnerabilities that could let hackers run arbitrary commands on the machine. He reported the danger to Facebook, which ultimately offered him a $2,500 reward through the bounty program. “Up to this point, everything Wes had done was appropriate, ethical, and in the scope of our program,” wrote Stamos. After reporting the security hole, Wineberg, who wasn’t immediately available for comment, wrote that he used the access it provided to search for additional weaknesses in the system. He found credentials for a database on the server and used those credentials to download usernames and encrypted passwords for a Web-accessible administrative tool running on the machine. Using an open source password-cracking program on his own computer, Wineberg discovered that several of the passwords were “extremely weak”—some were the same as the account username, and some were common default passwords like “password” and “changeme.” Wineberg reported the weak passwords to Facebook as well.

advertisement

He also soon discovered a configuration file with access credentials for an account on Amazon’s Simple Storage Service, which he used to access what appeared to be a set of “deployment scripts” stored on the Amazon cloud system. He also downloaded an older stored version of the same data, which contained additional credentials letting him access other S3 repositories, known as buckets. “There appeared to be a lot of potentially sensitive content, but a lot of it was just more versioned tar archives of tools and web applications,” he wrote. “I queued up several buckets to download, and went to bed for the night.” Wineberg wrote that he avoided downloading what appeared to be user data, in an effort to comply with the bounty program’s privacy rules, but that he accessed a variety of apparently sensitive company data, ranging from Instagram source code to credentials for additional cloud services. “To say that I had gained access to basically all of Instagram’s secret key material would probably be a fair statement,” he wrote. “With the keys I obtained, I could now easily impersonate Instagram, or impersonate any valid user or staff member.” According to his timeline, Wineberg didn’t immediately report the files he was able to access with the S3 credentials. While he discovered and tested the credentials on Oct. 24, he didn’t file a related report until Dec. 1– only after he says Facebook rejected his bug bounty claim relating to the weak passwords, citing a breach of user privacy. Photo: Flickr user celinecelines “As a researcher on the Facebook program, the expectation is that you report a vulnerability as soon as you find it,” Wineberg says Facebook told him in one email. “We discourage escalating or trying to escalate access as doing so might make your report ineligible for a bounty.”

advertisement

Wineberg argued those expectations aren’t in Facebook’s published bug bounty rules. Still, the rules do similarly ask researchers to “let us know right away” when a bug is found and “not interact with other accounts without the consent of their owners”—phrasing which seems designed with end user accounts in mind but might also apply to the employee accounts with weak passwords and Facebook’s own S3 accounts. When Facebook filed a third report, with the leaked S3 credentials, Facebook appears to have taken it as a sign he was continuing to disregard their guidelines. “The downloading of files from S3 was an unnecessary exfiltration and a violation of a warning we explicitly gave him,” Stamos wrote. “I really didn’t want him setting a precedent that you could download an arbitrary amount of data and call it legit.” Wineberg has since said he’s deleted the data, according to security publication Threatpost, and Facebook says it’s changed the S3 credentials. One place where Wineberg and Stamos seem to agree: that the incident shouldn’t have a chilling effect on mutually beneficial relationship bug bounties have brought to security researchers and tech companies. Facebook says it will take steps to respond to researchers’ reports quicker and make its guidelines more explicit.

advertisement

“We successfully handle hundreds of reports per day, but I don’t think we triaged the reports on this issue quickly enough,” Stamos wrote. “We will also look at making our policies more explicit and will be working to make sure we are clearer about what we consider ethical behavior.”