India, Croatia, and the US come out on top with most bounties issued

Facebook wants you to know that it takes security seriously, as the social networking site releases its annual bug bounty program review, which saw over $1 million paid out to researchers across the globe.

The tech giant has hogged the spotlight for all the wrong reasons throughout 2018, haunted by congressional hearings and ongoing penalties after its handling of user privacy was brought into question with the Cambridge Analytica data scandal.

But while this year’s revelations have been notably disastrous for the platform, Facebook regained some integrity by expanding its bug bounty program with a focus on data abuse and other malicious activity from third-party apps found on the site.

In its yearly retrospective, Facebook said that most of the reports under the added scope had amounted to scraping and phishing attacks, but it highlighted the efforts of one researcher who found that a third party’s development software (SDK) was collecting users’ access tokens via a Facebook login.

“To address the report, we worked with both the SDK provider and the apps using it to ensure they fixed this issue so the apps would run on the patched SDK and access tokens were not being misused even by clients running an older version of the SDK,” Dan Gurfinkel, security engineering manager at Facebook, said in a statement.

Out of the 17,800 security issues sent to its programs in 2018 overall, Facebook issued a bounty for over 700 reports, with the average pay out reaching $1,500 – a decrease from the approximate $1,900 average in 2017.

This year also saw Facebook award the biggest bounty since its program started, which Wired has reported as $50,000, for a disclosed flaw that allowed an attacker to monitor user activity without any authorization required.

This led to the discovery of other potential issues related to subscription backend logic, Facebook said, and a detection method has now been built.

“We have decided to award the researcher based on the maximum possible impact of his report, rather than on the low-severity issue initially reported to us,” Gurfinkel said.

Facebook launched its bug bounty program in 2011, and has awarded more than $7.5 million to date.

India, Croatia, and the US, were noted as the top three countries for successful bug submissions this year.

API bug

At the tail end of what can only be described as a terrible year for Facebook, the company’s security team were no doubt hoping the record bug bounty payouts would serve to help end 2018 on something of a positive note.

As The Daily Swig went to press, however, the social media giant revealed that a photo API bug had exposed the images of up to 6.8 million users who had authorized access to certain third-party apps.

Photos that users had uploaded to Facebook, but hadn’t publicly posted, are said to also have been affected – meaning that the platform stores copies of such passive activity.

The security incident occurred between September 13-25 of this year, throughout 1,500 apps, and the issue has since been fixed.

In a statement released on Friday, Facebook said: “We're sorry this happened. Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”


RELATED The social network: Facebook’s Bug Bounty program paid out $880,000 in 2017