Facebook’s penny-pinching bug bounties make hackers better off on the dark side

hacker_computer_vaultYour privacy is valuable; at least that’s what we’d all like to think. In reality, we’re finding that more and more often, our data is being sold off to the highest bidder, and it looks like we might have yet another example of that being the case. 

But when you think about Facebook, the social network has a less-than-stellar track record when it comes to security. Hackers are exploiting the platform – mainly because of the 1.1 billion users and counting on the site – left and right, poking and prodding from innumerable directions to make a profit off of the data that it’s leaking. So when a whitehat hacker tips the social network off about a glaring security issue that could mean taking over someone’s account, or even resetting passwords, you’d think Facebook would be grateful. Entrepreneur Yvo Schaap, who I interviewed last year when his hacks Erqqvg.com and Vizeddit made the front page of Reddit, would disagree. 

Schaap explains in a blog post that he accidentally found a “major security exploit” not once, but twice. The second time around, which took place after the social network implemented a “Bug Bounty” in 2011 to pay whitehat hackers for their Facebook exploits, he explains that he discovered a bug that enabled him to expose anyone’s private information (restricted accounts included). He says he did this “by jumping a few hoops using cleverness, juggling subdomains around, and walking around a regex.” That’s programmer code for “way too easily.”

Suffice it to say that this discovery – the ability to change information about someone’s Facebook account – was a major hole in Facebook’s system. He could access someone else’s information including email address name, but more importantly change their password, all from Schaap’s own domain.

Now what he’s uncomfortable about is the paltry value that Facebook put on the exploit.

The reimbursement you get from Facebook for disclosing a security vulnerability is really up to Facebook. The minimum award is $500, according to Facebook’s white hat page, and it adds “There is no maximum reward.” And the person disclosing the tip will be added to its page of credits for the year.

“After confirmation, my disclosure of the exploit accessing a user’s account was awarded with the bounty of … $4,500. A nice day’s pay, but a paltry fee for pointing out a gaping hole in the security of a social network holding the personal data of over a billion people,” he explains.

$4,500 might sound like a nice paycheck to the non-hackers among us, but for something of this magnitude, it’s chump change. A member of the black hat hacker group The Happy Ninjas scoffed at how much Facebook was willing to pay for vulnerabilities. How come? He says that if you were to find a zero day vulnerability on Facebook, the exploit would sell for approximately $800,000 on the black market. “We can make $1 million in so many ways, without even selling [off exploits],” he adds. 

Even an exploit like the one that Schaap found may fetch something in the high five figures.

When asked about how Facebook determines the value of exploits brought to its attention, a Facebook spokesperson responded, “It is important to note that we have a minimum but no maximum and our payments are determined by not only the severity of the bug but also several other factors including the quality of the report we receive and the details of the bug itself.”

You might argue that white hat hackers should be doing this research as a  public service, and not for the money – but given the fact that many of them make or supplement their livelihoods this way, a money reward is important. 

That might also explain why just 66 people have been credited for discovering a vulnerability for Facebook in 2013. The Happy Ninjas say that Facebook is extremely vulnerable to attacks if you know how and where to attack, so you have to wonder how many exploits are out there haven’t been reported, and are being exchanged underground for hundreds of thousands if not millions of dollars.

Get our Top Stories delivered to your inbox: