Meta targets user information, database scraping in bug bounty expansion
Meta has announced an expansion to its bug bounty platform to include vulnerabilities that can be abused for data scraping.
On Wednesday, the company – recently rebranded from Facebook – said that the two new areas of research revolve around scraping bugs and scraped databases containing user information.
Dan Gurfinkel, Security Engineering Manager, said that the inclusion of valid scraping bugs and exposed data sets in a bug bounty program are, to the firm’s knowledge, an “industry first.”
Meta/Facebook has been involved in numerous incidents around user data scraping. The most well-known is the Cambridge Analytica scandal, in which the data of up to 87 million users was scraped and shared without their consent.
More recently, information belonging to approximately 553 million Facebook users was dumped online. Meta said the mass data collection took place in 2019.
“We know that automated activity designed to scrape people’s public and private data targets every website or service,” Gurfinkel says. “We also know that it is a highly adversarial space where scrapers — be it malicious apps, websites or scripts — constantly adapt their tactics to evade detection in response to the defenses we build and improve.”
To assist the company in fixing data-scraping issues across its apps and services rapidly, Meta is looking for reports on vulnerabilities that allow scraping limit mechanisms to be bypassed and those that permit scraping “at a greater scale than the product intended.” In particular, Meta is urging researchers to look for logic bypass issues, although rate limiting errors are in-scope, too.
Scraped databases will include reports of unprotected and open public databases, discovered online, which contain at least 100,000 records of unique users, as well as sensitive information such as email addresses and phone numbers.
Financial rewards starting at $500 are on offer for scraping bugs and scraped database reports will be matched with charity donations. Feedback will be sought from the firm’s “top” bug bounty hunters before expansion.
Gurfinkel also outlined the company’s progress with bug bounties. Since 2011, the program’s launch, over 150,000 bug reports have been received and over 7,800 have been awarded a bounty payment. In total, Meta has now paid out over $14 million.
Over the course of 2021, Meta has awarded $2.3 million to researchers for 800 vulnerability reports out of approximately 25,000.
Earlier this month, Meta increased the scope of Facebook Protect, a service designed to enhance the security of user accounts considered to be at higher risk of compromise by threat actors.
By the end of this year, Facebook Protect should be rolled out to over 50 countries. In the same way as Google and Microsoft, Meta offers this service to individuals including lawyers, journalists, civil rights organization members, and political figures.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0