Facebook expands bug bounty program to include third-party apps

Social network will reward reports of access token exposure

Lego builders dismantling the Facebook logo

Facebook has announced the expansion of its bug bounty program to include third-party apps and websites that allow people log into them using Facebook credentials.

The social network said that it will focus on access tokens that are created during logins for users and apps.

Dan Gurfinkel, Facebook security engineering manager, said that while a user can decide what information the token and app can access as well as what actions can be taken, "if exposed, a token can potentially be misused, based on the permissions set by the user".

"We want researchers to have a clear channel to report these important issues, and we want to do our part to protect people's information, even if the source of a bug is not in our direct control," he added.

Advertisement - Article continues below
Advertisement - Article continues below

To that end, Facebook has updated its terms of service for the bug bounty program to include information about what it expects from these reports.

"For example, researchers should make sure to include a clear proof-of-concept demonstrating a vulnerability that could allow access or misuse of user access tokens associated with apps on the Facebook platform," said Gurfinkel.

He added that the social network will only accept reports if the bug is discovered by passively viewing the data sent to or from a device while using the vulnerable app or website. Potential bounty hunters will not be permitted to manipulate any request sent to the app or website from their device, or otherwise interfere with the ordinary functioning of the app or website in connection with submitting their report.

Facebook will pay at least $500 for any vulnerable app or website that involve "improper exposure of Facebook user access tokens".

Once a bug has been confirmed by Facebook, it will then contact the app or website developer to fix their code. "We will also automatically revoke access tokens that could have been compromised to prevent potential misuse, and alert those we believe to be affected," said Gurfinkel.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
data breaches

Misconfigured security command exposes 250 million Microsoft customer records

23 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020

Windows 10 and the tools for agile working

20 Jan 2020