Skip to main content
  1. Home
  2. Social Media
  3. Web
  4. Legacy Archives

Facebook’s penny-pinching bug bounties make hackers better off on the dark side

Add as a preferred source on Google

hacker_computer_vaultYour privacy is valuable; at least that’s what we’d all like to think. In reality, we’re finding that more and more often, our data is being sold off to the highest bidder, and it looks like we might have yet another example of that being the case. 

But when you think about Facebook, the social network has a less-than-stellar track record when it comes to security. Hackers are exploiting the platform – mainly because of the 1.1 billion users and counting on the site – left and right, poking and prodding from innumerable directions to make a profit off of the data that it’s leaking. So when a whitehat hacker tips the social network off about a glaring security issue that could mean taking over someone’s account, or even resetting passwords, you’d think Facebook would be grateful. Entrepreneur Yvo Schaap, who I interviewed last year when his hacks Erqqvg.com and Vizeddit made the front page of Reddit, would disagree. 

Recommended Videos

Schaap explains in a blog post that he accidentally found a “major security exploit” not once, but twice. The second time around, which took place after the social network implemented a “Bug Bounty” in 2011 to pay whitehat hackers for their Facebook exploits, he explains that he discovered a bug that enabled him to expose anyone’s private information (restricted accounts included). He says he did this “by jumping a few hoops using cleverness, juggling subdomains around, and walking around a regex.” That’s programmer code for “way too easily.”

Suffice it to say that this discovery – the ability to change information about someone’s Facebook account – was a major hole in Facebook’s system. He could access someone else’s information including email address name, but more importantly change their password, all from Schaap’s own domain.

Now what he’s uncomfortable about is the paltry value that Facebook put on the exploit.

The reimbursement you get from Facebook for disclosing a security vulnerability is really up to Facebook. The minimum award is $500, according to Facebook’s white hat page, and it adds “There is no maximum reward.” And the person disclosing the tip will be added to its page of credits for the year.

“After confirmation, my disclosure of the exploit accessing a user’s account was awarded with the bounty of … $4,500. A nice day’s pay, but a paltry fee for pointing out a gaping hole in the security of a social network holding the personal data of over a billion people,” he explains.

$4,500 might sound like a nice paycheck to the non-hackers among us, but for something of this magnitude, it’s chump change. A member of the black hat hacker group The Happy Ninjas scoffed at how much Facebook was willing to pay for vulnerabilities. How come? He says that if you were to find a zero day vulnerability on Facebook, the exploit would sell for approximately $800,000 on the black market. “We can make $1 million in so many ways, without even selling [off exploits],” he adds. 

Even an exploit like the one that Schaap found may fetch something in the high five figures.

When asked about how Facebook determines the value of exploits brought to its attention, a Facebook spokesperson responded, “It is important to note that we have a minimum but no maximum and our payments are determined by not only the severity of the bug but also several other factors including the quality of the report we receive and the details of the bug itself.”

You might argue that white hat hackers should be doing this research as a  public service, and not for the money – but given the fact that many of them make or supplement their livelihoods this way, a money reward is important. 

That might also explain why just 66 people have been credited for discovering a vulnerability for Facebook in 2013. The Happy Ninjas say that Facebook is extremely vulnerable to attacks if you know how and where to attack, so you have to wonder how many exploits are out there haven’t been reported, and are being exchanged underground for hundreds of thousands if not millions of dollars.

Francis Bea
Former Digital Trends Contributor
Francis got his first taste of the tech industry in a failed attempt at a startup during his time as a student at the…
WhatsApp pausing usernames for hundreds of millions of users over fraud fears
WhatsApp’s phone-number privacy feature runs into scrutiny in India
Electronics, Phone, Mobile Phone

WhatsApp’s plan to let people use usernames instead of phone numbers has run into trouble in India, its biggest market. This newly introduced feature is meant to improve privacy by letting users connect without immediately sharing their phone number. Indian authorities, however, are worried that the same feature could make scams and impersonation harder to control.

India's Ministry of Electronics and Information Technology (MeitY) has asked WhatsApp to pause the username rollout until consultations with the government are complete. That is a major intervention, since WhatsApp has more than 500 million users in the country, who rely on the app for their everyday personal and professional communications.

Read more
X wants you to go live with its new streaming hub, and is offering $1 million to make it worth your while
Live Studio brings scheduling, audience controls, and real-time analytics to X's Creator Studio, but the platform hasn't said how it plans to split the $1 million among creators.
X Live Studio screengrab

X is making a serious push to become a destination for live video, launching a new tool called Live Studio and pledging $1 million in creator payouts to attract streamers to the platform. Nikita Bier, X's head of product, announced the tool on X with a demo showcasing how it works.

Stream controls, real-time analytics, and a $1 million payout

Read more
Reddit is ending anonymous browsing on old Reddit, and longtime users are not happy
Reddit's old interface is getting a login requirement, and its long term future looks uncertain.
Reddit

If you have been quietly browsing old.reddit.com without logging in, that option is going away. Reddit just announced it will require everyone to log in to use old.reddit.com, with the change landing sometime over the next month. A Reddit admin broke the news on the platform, calling it part of a push to tighten how automated systems get into the site.

Why is Reddit locking down the old interface?

Read more