Facebook entices researchers with $40,000 reward for account takeover vulnerabilities

It's not surprising considering Facebook's recent run-ins with account security problems.
Written by Charlie Osborne, Contributing Writer

Facebook has increased the financial rewards for account takeover vulnerabilities in the platform following two severe security breaches impacting millions of users.

On Tuesday, the social networking giant said the ramped up rewards are being issued "to encourage security researchers to work on finding high-impact issues."

The issues at hand are bugs which can lead to the takeover of user accounts, whether through the theft or leak of access tokens or the ability to access a valid user session.

If a vulnerability is uncovered which requires user interaction -- such as clicking on a malicious link, for example -- then a reward of up to $25,000 can be earned. However, if no user interaction is required, the financial reward can reach $40,000.

Facebook says that full exploit chains are not required when they related to the Linkshim mechanism, a system which checks URLs listed on the site against those known to be malicious.

The Facebook domain, Instagram, WhatsApp, and Oculus are all included in the bug bounty program.

See also: Why Facebook is powerless to stop its own descent

Any security hole which could be exploited to hijack user accounts needs to be plugged -- especially as the company cannot afford another wide-scale security catastrophe, such as the one Facebook suffered in recent months.

Facebook was still dealing with the aftermath of the Cambridge Analytica scandal, in which data belonging to 87 million Facebook users was collected and shared for political purposes without consent when in September, another security breach occurred which compromised access tokens belonging to roughly 50 million users.

The cyberattack was detected by Facebook engineers who became aware of an unusual traffic spike.

Following the theft of the tokens, which are generated and stored in the user's browsers and Facebook servers at the same time a user logs in, the social media giant expanded its bug bounty program.

TechRepublic: Why e-commerce is winning: Most Americans now trust online retailers with their data

The move was unusual as it expanded to include third-party services which exposed Facebook access tokens. However, considering the recent battering Facebook took to its reputation and the size of the global service, the company had very little option -- and added that access would be revoked if third-parties refused to fix valid security issues which could compromise the security of the network.

"While monetary reward may not be the strongest incentive for why bug bounty researchers hack, we believe it remains a strong motivator for our white hat researchers to invest time in helping us identify and mitigate vulnerabilities," Facebook says. "We encourage researchers to share their proof of concept reports with us without having to also discover bypasses for Facebook defense mechanisms."

CNET: Russian hacking tool gets extra stealthy to target US, European computers

In related news this week, Opera said the firm's browsers -- the standard variant, Mini, and Touch -- are all now covered by the Google Play Security Reward Program. Participating bug bounty hunters can earn up to $5,000 for submitting valid bug reports.

Our top choices for tech gifts

Previous and related coverage

Editorial standards