Facebook Security Engineer Michael McGrew and a colleague attempted to hack the Western Regional Collegiate Cyber Defense Competition, but their intentions were pure: After discovering the Collegiate Cyber Defense Competition while he was a junior in college, McGrew started a club and brought a team to the WRCCDC, so his stint as a “penetration tester” was almost like returning to his roots.
Who says Facebook doesn’t pay out bounties when bugs are reported? Arul Kumar, an electronics and communications engineer from Tamil Nadu in India, is $12,500 richer after reporting a bug that allowed users to delete photos from Facebook via the social network’s support dashboard.
Another case of malware via video is rapidly spreading via Facebook to Google Chrome users, at the rate of about 40,000 per hour, Italian security researcher Carlo De Micheli told The New York Times’ Bits blog.
Facebook is still refusing to pay a bounty to Khalil Shreateh, the security researcher who used the bug he discovered to post directly on Co-Founder and CEO Mark Zuckerberg’s Timeline after Facebook Security rejected his attempts to report it, but Beyond Trust Chief Technology Officer Marc Maiffret is doing his best to make sure Shreateh doesn’t walk away from this experience empty-handed.
Facebook Chief Security Officer Joe Sullivan Defends White Hat Program’s Response To Researcher Who Hacked Mark Zuckerberg
Facebook Chief Security Officer Joe Sullivan said in a note on the Facebook Security page that he understood the frustration expressed by Khalil Shreateh, who used a bug he reported to the social network to post directly to the Timeline of Facebook Co-Founder and CEO Mark Zuckerberg, but he defended the company’s decision to not offer a reward to Shreateh because he involved an actual user (not to mention the head of the company) and did not use a test account.
Facebook Security responded to the recent flurry of reports about the safety of sharing location information with photos posted to the social network and other online destinations, seeking to reassure users by posting an explanation of EXIF data on the Facebook Security page.
Since Facebook launched its bug bounty program two years ago, more than $1 million in rewards has been handed out to 329 people in 51 countries, Security Engineer Collin Greene reported in a note on the Facebook Security page.
Facebook’s white hat program dished out another reward, as U.K.-based application security engineer Jack Whitton received $20,000 for alerting the social network about a bug that allowed him to take over other users’ Facebook accounts via text message.
The good news: The Facebook Security team snuffed out a bug that exposed some 6 million Facebook users’ email addresses and phone numbers. The bad news: The bug was active for about one year before being discovered and dealt with.