Facebook hosted Security @Scale 2014 at its headquarters in Menlo Park, Calif., Oct. 29, and production engineer Fernanda Weiden recapped the proceedings in a post on the Facebook engineering blog, which also included videos of the event’s presentations.
White Hat Program
Facebook continued its focus on security with two announcements Wednesday related to its white-hat program: The social network is doubling the bounties that it will pay out to researchers who discover white-hat bugs its ads code, and it released a “Bounty Hunter’s Guide” containing detailed instructions on how to submit those bugs.
Facebook recently made its largest bug bounty payout to date — $33,500, according to ZDNet — to Brazilian computer engineer Reginaldo Silva for his discovery of a vulnerability during the social network’s usage of OpenID that had the potential of enabling a hacker to take full control of one of its servers.
Who says Facebook doesn’t pay out bounties when bugs are reported? Arul Kumar, an electronics and communications engineer from Tamil Nadu in India, is $12,500 richer after reporting a bug that allowed users to delete photos from Facebook via the social network’s support dashboard.
Facebook is still refusing to pay a bounty to Khalil Shreateh, the security researcher who used the bug he discovered to post directly on Co-Founder and CEO Mark Zuckerberg’s Timeline after Facebook Security rejected his attempts to report it, but Beyond Trust Chief Technology Officer Marc Maiffret is doing his best to make sure Shreateh doesn’t walk away from this experience empty-handed.
Facebook Chief Security Officer Joe Sullivan Defends White Hat Program’s Response To Researcher Who Hacked Mark Zuckerberg
Facebook Chief Security Officer Joe Sullivan said in a note on the Facebook Security page that he understood the frustration expressed by Khalil Shreateh, who used a bug he reported to the social network to post directly to the Timeline of Facebook Co-Founder and CEO Mark Zuckerberg, but he defended the company’s decision to not offer a reward to Shreateh because he involved an actual user (not to mention the head of the company) and did not use a test account.
After Facebook Security Rejected His Bug Report, Khalil Shreateh Used The Bug To Post Directly On Mark Zuckerberg’s Timeline
Palestinian information system expert Khalil Shreateh discovered a bug that allowed Facebook users to post on the Timelines of other Facebook users, even when they were not connected as friends, but when he submitted it to the social network’s white hat program, Facebook Security responded that it was not a bug. So Shreateh went straight to the top, exploiting the bug to post on the Timeline of none other than Facebook Co-Founder and CEO Mark Zuckerberg.
Since Facebook launched its bug bounty program two years ago, more than $1 million in rewards has been handed out to 329 people in 51 countries, Security Engineer Collin Greene reported in a note on the Facebook Security page.
Facebook’s white hat program dished out another reward, as U.K.-based application security engineer Jack Whitton received $20,000 for alerting the social network about a bug that allowed him to take over other users’ Facebook accounts via text message.
The good news: The Facebook Security team snuffed out a bug that exposed some 6 million Facebook users’ email addresses and phone numbers. The bad news: The bug was active for about one year before being discovered and dealt with.