Facebook made a significant concession to vulnerability researchers last week by adding a special setting to Facebook accounts to accommodate whitehat security research.
The new option, named "Whitehat Settings," introduces a mechanism through which security researchers can bypass Facebook's Certificate Pinning security mechanism.
Certificate Pinning normally protects traffic that originates from Facebook mobile apps against sniffing operations. But according to Facebook, when security researchers turn on the "Whitehat Settings" option, Facebook will intentionally break its Certificate Pinning mechanism for that account, so the researcher can intercept, sniff, and analyze the traffic that originates from within.
Facebook said it implemented the "Whitehat Settings" option at the behest of security researchers who were having a hard time bypassing the Certificate Pinning security measure.
The "Whitehat Settings" option can be enabled on Facebook's main app, its Messenger instant messaging client, and the Instagram app. It is only supported on Facebook's Android apps, but not its iOS clients.
Once the feature is enabled, it also comes with its own settings, such as a built-in proxy for Facebook Platform API interactions, the ability to disable Facebook's TLS 1.3 support, and the option to use user-installed certificates for easier traffic interception.
Facebook recommends that security researchers turn this feature off as soon as they stop testing for vulnerabilities, as it also weakens an account's overall security posture.
Facebook has always loved whitehat researchers
It's no surprise that Facebook modified its official apps to support and help whitehat security research. Facebook has always had a friendly approach towards the infosec community, being one of the few companies managing its own bug bounty program, offering large payouts on a regular basis, and often open-sourcing many security-focused tools.
After the Cambridge Analytica scandal last year, Facebook has intensified its efforts into improving the security of its main platform and mobile apps, but also its adjacent third-party app ecosystem.