On the heels of Facebook’s Cambridge-Analytica scandal in March, the social media giant launched a “Data Abuse Bounty Program” in an attempt to crackdown on data misuse by third-party app developers.
This past week, the program was put to good use after a bounty hunter working through the program spotted a popular Facebook app that was exposing the personal data – including private information, friends, posts and photos – of millions.
“I think that’s an extension of the idea of crowdsourcing as a way to get work done.” Casey Ellis, CEO of BugCrowd, told Threatpost. “What we’re focused on in bug bounty is mostly the identification of vulnerabilities in code, but what Facebook did with the privacy bounty after Cambridge Analytica, was mostly to use people that have this critical hacker-mindset to solve this issue that they have.”
Facebook in March first made the announcement it was expanding its bug bounty program: “Facebook’s bug bounty program will expand so that people can also report to us if they find misuses of data by app developers. We are beginning work on this and will have more details as we finalize the program updates in the coming weeks,” wrote Ime Archibong, VP of platform partnerships at Facebook, at the time in a post on the Facebook for Developers blog.
Facebook said that it hopes the program will incentivize anyone to report apps collecting user data and passing it off to malicious parties to be exploited.
In an outline of its data abuse bug bounty program, Facebook said it is looking for any situation where a third-party app currently or formerly operating on Facebook collected data from users and then bought, sold, disclosed, transferred, or used Facebook user data in any manner prohibited by its data privacy policies. Should malicious apps be found, Facebook said it would result in termination of the application from the platform.
“It’s an interesting development as an extension to data use and privacy,” Amit Elazari, an expert in the policies and legalese surrounding bug bounty programs, told Threatpost.
The program seems to be working in drawing in interested white hat hackers, at least for Inti De Ceukelaire, who published a post on his findings through the bug bounty program on Wednesday.
Ceukelaire said that he found that 120 million users’ data was exposed on a quiz app owned by Nametests.com. The ethical hacker noticed the website would fetch his personal information and display it on the webpage, nametests[.]com/appconfig_user. The data was then available for other sites to swipe it, he said.
The researcher said he reported the flaw to Facebook’s Data Abuse program on April 22, and noticed the issue was fixed June 25. Ceukelaire said at his request, Facebook donated $8,000 to the Freedom of the Press Foundation as part of their Data Abuse Bounty Program.
“I have mixed feelings about this one. I am glad both Facebook and NameTests cooperated and resolved the issue,” he said. “On the other hand, we cannot accept that the information of hundreds of millions of users could have been leaked out so easily. We can and must do better.”
Craig Young, computer security researcher for Tripwire, said “it’s possible that this could be the start of a trend toward more policy-oriented bug bounties from social media platforms.”
“[The program] really makes a lot of sense to me,” he said. “By expanding their bounty program to include data misuse by app developers, Facebook may have found a way to mobilize their community to self-police. It will be interesting to see if this if spurs new bug bounty participation including people less technical than the typical bug hunter.”
Ellis, for his part, told Threatpost he sees the program extension as an emerging trend for other social media website in the future, particularly as data privacy becomes a bigger issue.
“That’s a new idea and I think it will ramp up slowly but I do see that growing over time as well,” Ellis said.