Skip to main content

Facebook is paying cash rewards if you find vulnerabilities in third-party apps

The recent Cambridge Analytica scandal rocked Facebook, prompting the company to examine more closely where its masses of user data ends up and how it’s utilized.

As part of those efforts, the social networking giant this week announced it’s expanding its bug bounty program to include third-party apps and websites that let people use their Facebook accounts to log in.

Recommended Videos

The company says it’s focusing on the access tokens that are uniquely generated for the specific user and app during login.

“The user decides what information the token and app can access as well as what actions can be taken … [but] a token can potentially be misused,” Dan Gurfinkel, Facebook security engineering manager, explained in a post announcing the expanded program.

Gurfinkel said it will pay at least $500 to anyone who spots vulnerabilities that involve “improper exposure of Facebook user access tokens.” The more serious the issue, the greater the amount Facebook will pay, though it makes no mention of a cap.

He added that Facebook is using the program in an effort to create a clear channel for people to report any issues they come across, “and we want to do our part to protect people’s information, even if the source of a bug is not in our direct control.”

Once an issue has been confirmed by Facebook’s own researchers, it will contact the app or website developer to help them fix their code, and they’ll be suspended from the platform until the issue has been resolved.

“We will also automatically revoke access tokens that could have been compromised to prevent potential misuse, and alert those we believe to be affected,” Gurfinkel said.

The security engineering manager pointed out that Facebook will only accept reports “if the bug is discovered by passively viewing the data sent to or from your device while using the vulnerable app or website.” In other words, researchers are not allowed to “manipulate any request sent to the app or website from your device, or otherwise interfere with the ordinary functioning of the app or website in connection with submitting your report.”

If a flaw is reported by two people working independently of each other, the payment goes to the person who submits the report first. And if the researcher is feeling generous and would like to donate the bounty to charity, Facebook will double the value of the donation.

The expansion of its bug bounty program comes four months after Facebook launched the Data Abuse Bounty Program, another consequence of the damaging Cambridge Analytica scandal in which a third-party app helped to harvest the data of up to 87 million Facebook users for political gain, which led to big questions over the way the social networking company handled user data.

The Data Abuse Bounty program rewards users who discover and report any app or service connected to Facebook that misuses data, specifically, where “a Facebook platform app collects and transfers people’s data to another party to be sold, stolen, or used for scams or political influence,” the company said.

Facebook described its Data Abuse Bounty Program as an industry first.

Trevor Mogg
Contributing Editor
Not so many moons ago, Trevor moved from one tea-loving island nation that drives on the left (Britain) to another (Japan)…
Bluesky finally adds a feature many had been waiting for
A blue sky with clouds.

Bluesky has been making a lot of progress in recent months by simplifying the process to sign up while at the same time rolling out a steady stream of new features.

As part of those continuing efforts, the social media app has just announced that users can now send direct messages (DMs).

Read more
Reddit just achieved something for the first time in its 20-year history
The Reddit logo.

Reddit’s on a roll. The social media platform has just turned a profit for the first time in its 20-year history, and now boasts a record 97.2 million daily active users, marking a year-over-year increase of 47%. A few times during the quarter, the figure topped 100 million, which Reddit CEO and co-founder Steve Huffman said in a letter to shareholders had been a “long-standing milestone” for the site.

The company, which went public in March, announced the news in its third-quarter earnings results on Tuesday.

Read more
Worried about the TikTok ban? This is how it might look on your phone
TikTok splash screen on an Android phone.

The US Supreme Court has decided to uphold a law that would see TikTok banned in the country on January 19. Now, the platform has issued an official statement, confirming that it will indeed shut down unless it gets some emergency relief from the outgoing president.

“Unless the Biden Administration immediately provides a definitive statement to satisfy the most critical service providers assuring non-enforcement, unfortunately TikTok will be forced to go dark on January 19,” said the company soon after the court’s verdict.
So, what does going dark mean?
So, far, there is no official statement on what exactly TikTok means by “going dark.” There is a lot of speculation out there on how exactly the app or website will look once TikTok shutters in the US.

Read more