Facebook’s penny-pinching bug bounties make hackers better off on the dark side

hacker_computer_vaultYour privacy is valuable; at least that’s what we’d all like to think. In reality, we’re finding that more and more often, our data is being sold off to the highest bidder, and it looks like we might have yet another example of that being the case. 

But when you think about Facebook, the social network has a less-than-stellar track record when it comes to security. Hackers are exploiting the platform – mainly because of the 1.1 billion users and counting on the site – left and right, poking and prodding from innumerable directions to make a profit off of the data that it’s leaking. So when a whitehat hacker tips the social network off about a glaring security issue that could mean taking over someone’s account, or even resetting passwords, you’d think Facebook would be grateful. Entrepreneur Yvo Schaap, who I interviewed last year when his hacks Erqqvg.com and Vizeddit made the front page of Reddit, would disagree. 

Schaap explains in a blog post that he accidentally found a “major security exploit” not once, but twice. The second time around, which took place after the social network implemented a “Bug Bounty” in 2011 to pay whitehat hackers for their Facebook exploits, he explains that he discovered a bug that enabled him to expose anyone’s private information (restricted accounts included). He says he did this “by jumping a few hoops using cleverness, juggling subdomains around, and walking around a regex.” That’s programmer code for “way too easily.”

Suffice it to say that this discovery – the ability to change information about someone’s Facebook account – was a major hole in Facebook’s system. He could access someone else’s information including email address name, but more importantly change their password, all from Schaap’s own domain.

Now what he’s uncomfortable about is the paltry value that Facebook put on the exploit.

The reimbursement you get from Facebook for disclosing a security vulnerability is really up to Facebook. The minimum award is $500, according to Facebook’s white hat page, and it adds “There is no maximum reward.” And the person disclosing the tip will be added to its page of credits for the year.

“After confirmation, my disclosure of the exploit accessing a user’s account was awarded with the bounty of … $4,500. A nice day’s pay, but a paltry fee for pointing out a gaping hole in the security of a social network holding the personal data of over a billion people,” he explains.

$4,500 might sound like a nice paycheck to the non-hackers among us, but for something of this magnitude, it’s chump change. A member of the black hat hacker group The Happy Ninjas scoffed at how much Facebook was willing to pay for vulnerabilities. How come? He says that if you were to find a zero day vulnerability on Facebook, the exploit would sell for approximately $800,000 on the black market. “We can make $1 million in so many ways, without even selling [off exploits],” he adds. 

Even an exploit like the one that Schaap found may fetch something in the high five figures.

When asked about how Facebook determines the value of exploits brought to its attention, a Facebook spokesperson responded, “It is important to note that we have a minimum but no maximum and our payments are determined by not only the severity of the bug but also several other factors including the quality of the report we receive and the details of the bug itself.”

You might argue that white hat hackers should be doing this research as a  public service, and not for the money – but given the fact that many of them make or supplement their livelihoods this way, a money reward is important. 

That might also explain why just 66 people have been credited for discovering a vulnerability for Facebook in 2013. The Happy Ninjas say that Facebook is extremely vulnerable to attacks if you know how and where to attack, so you have to wonder how many exploits are out there haven’t been reported, and are being exchanged underground for hundreds of thousands if not millions of dollars.

Social Media

Facebook is paying cash rewards if you find vulnerabilities in third-party apps

As part of efforts to put the Cambridge Analytica scandal and related issues behind it, Facebook said this week it's expanding its bug bounty program to include third-party apps and websites that could potentially misuse its data.
Social Media

How to run a free background check

There are plenty of legitimate reasons for carrying out a background check, and not all of them are creepy. Here are several methods that allow you to run a thorough background check on someone online, whether you need to vet a potential…
Mobile

5 much-needed improvements brought to you by Apple's iOS 12

Apple’s mobile operating system keeps getting better and better. Looking beyond the exciting new features, we’ve identified five things that were bugging us that Apple has fixed in iOS 12.
Computing

ProtonVPN and NordVPN patched up vulnerabilities before they became known

Both NordVPN and ProtonVPN have released statements saying that they have already patched out the bugs which were recently discovered in their respective services and everyone using them should be safe.
Social Media

How to Use Facebook: The unofficial user manual

With more than 2 billion monthly active users, Facebook has become the go-to social network. If you're new to the site, our comprehensive guide will lay out both the network's fundamentals and its more intricate functionality.
Social Media

Are Facebook, Instagram taking a Labor Day break? Users report downtime globally

Facebook, the world’s number one social media platform, and subsidiary Instagram are apparently taking some holiday breaks on Labor Day. As of this writing, Facebook and Instagram were facing more than 30 minutes of downtime.
Social Media

Instagram said to be prepping a stand-alone shopping app

Instagram is reportedly building a new stand-alone ecommerce app called "IG Shopping." If it launches, IG Shopping would allow 'grammers to browse and purchase a range of products, similar to how they can in the current app.
Photography

Vimeo thinks regular stock video stinks, launches alternative for creatives

When creators told Vimeo existing stock video options weren't enough, the video platform decided to launch its own. Vimeo Stock includes exclusive content, while creators are being promised a higher-than-average cut of the revenue.
Mobile

Snap's Spectacles 2 can take stills and don't mind the rain

Snapchat has announced new styles for its Spectacles camera-equipped sunglasses. Spectacles 2 are able to take still images and are water-resistant. They're available to order now through Snap's website. 
Social Media

Looking to officially rid your inbox of Facebook messages? Here's how

Deleting messages from Facebook Messenger is almost as easy as scrolling through your News Feed. Here, we show you how to delete an entire conversation or a single message, both of which take seconds.
Web

10 viral video celebrities from the past and where they are now

Ever wonder what happened to William Hung after his less-than-stellar American Idol audition? We take a look at 10 of the most popular viral video celebrities and see what they are up to today.
Social Media

As Twitter and Facebook growth slows, Pinterest hits 250 million users

Pinterest is now home to 250 million active users, despite a pattern of slowed growth and even reduced numbers among the latest reports from other networks. Pinterest also now boasts more than 175 billion pins.
Social Media

Facebook expands fact-checking net to try to catch doctored photos and videos

Facebook is now fact-checking images and video along with articles, using third-party organizations. New A.I. helps flag potential fakes for human review, but user flags and comments still help recognize what content might not be accurate.
Social Media

New to Snapchat? Follow our guide and go from newbie to pro

Whether you're a Snapchat addict or a newbie, our detailed Snapchat guide will help you become a pro in no time. Find out how to get started, spice up your snaps, chat, send money, and carry out a host of other useful actions.