Facebook bolsters bug bounty program with rewards for user token exposure

If you submit a valid case of Facebook user access token leaks, you are eligible for a financial reward.
Written by Charlie Osborne, Contributing Writer

Facebook has extended its bug bounty scheme to offer financial rewards for reports of cases where Facebook user access tokens are exposed by third-party services.

On Monday, Facebook Security Engineering Manager Dan Gurfinkel revealed the changes, which will give security researchers a minimum reward of $500 for each vulnerable app or website reported.

Access tokens permit Facebook users to log into other apps and are generated for each individual person, access request, and application. If this information is leaked, this can lead to a variety of attacks, such as account and session hijacking, information theft, or potentially Man-in-The-Middle (MiTM) attacks.

Usually, vulnerabilities which reside in third-party services or websites are not within the scope of the bug bounty program. However, Facebook has now updated its bug bounty Terms of Service to include cases of user access token exposure.

CNET: Path, a former Facebook competitor, is shutting down in October

"We will accept reports of such vulnerabilities, but only if the bug is discovered by passively viewing the data sent to or from your device while using the app or website," Facebook says. "You are not permitted to manipulate any request sent to the app or website from your device or otherwise interfere with the ordinary functioning of the app or website in connection with submitting your report."

To stop the bug bounty program becoming inundated with small, pilot, and minor apps, the social media giant has also stipulated that only third-party apps with at least 50,000 active users will be considered.

Researchers interested in the new bug bounty addition are restricted to testing with their own account and must include proof-of-concept (PoC) documentation with their reports.

TechRepublic: Facebook data privacy scandal: A cheat sheet

SQLi, XSS, open redirect, and permission-bypass vulnerabilities are not accepted.

If Facebook accepts a report as legitimate, the company has pledged to work with the impacted developer or webmaster to fix their code.

Should a developer refuse to fix the problem, however, they will be suspended from the Facebook platform until the bug has been resolved and a security audit has been conducted.

"We will also automatically revoke access tokens that could have been compromised to prevent potential misuse, and alert those we believe to be affected, as appropriate," the executive says.

See also: Facebook patches critical server remote code execution vulnerability

Facebook's bug bounty addition builds upon a program launched in April which rewards researchers able to find cases of data abuse by developers on the platform. The tech giant created the scheme in response to the Cambridge Analytica scandal, in which information belonging to 87 million Facebook users was collected and shared without consent.

A basic guide to diving in to the dark web

Previous and related coverage

Editorial standards