Facebook rolls out 'Whitehat Settings' to help bug hunters analyze traffic in its mobile apps

New "Whitehat Settings" option available in Facebook, Messenger, and Instagram Android apps.
Written by Catalin Cimpanu, Contributor
Facebook Whitehat Settings enable
Image: Facebook

Facebook made a significant concession to vulnerability researchers last week by adding a special setting to Facebook accounts to accommodate whitehat security research.

The new option, named "Whitehat Settings," introduces a mechanism through which security researchers can bypass Facebook's Certificate Pinning security mechanism.

Certificate Pinning normally protects traffic that originates from Facebook mobile apps against sniffing operations. But according to Facebook, when security researchers turn on the "Whitehat Settings" option, Facebook will intentionally break its Certificate Pinning mechanism for that account, so the researcher can intercept, sniff, and analyze the traffic that originates from within.

Facebook said it implemented the "Whitehat Settings" option at the behest of security researchers who were having a hard time bypassing the Certificate Pinning security measure.

The "Whitehat Settings" option can be enabled on Facebook's main app, its Messenger instant messaging client, and the Instagram app. It is only supported on Facebook's Android apps, but not its iOS clients.

Once the feature is enabled, it also comes with its own settings, such as a built-in proxy for Facebook Platform API interactions, the ability to disable Facebook's TLS 1.3 support, and the option to use user-installed certificates for easier traffic interception.

Facebook Whitehat Settings
Image: ZDNet

The "Whitehat Settings" feature can be enabled by visiting this Facebook settings page, with additional details and video tutorials on this support page.

Facebook recommends that security researchers turn this feature off as soon as they stop testing for vulnerabilities, as it also weakens an account's overall security posture.

Facebook has always loved whitehat researchers

It's no surprise that Facebook modified its official apps to support and help whitehat security research. Facebook has always had a friendly approach towards the infosec community, being one of the few companies managing its own bug bounty program, offering large payouts on a regular basis, and often open-sourcing many security-focused tools.

After the Cambridge Analytica scandal last year, Facebook has intensified its efforts into improving the security of its main platform and mobile apps, but also its adjacent third-party app ecosystem.

Since March last year, Facebook started paying significant bug bounties to researchers who discover exposures of user data in popular Facebook third-party apps and games.

Since September, the social network also expanded its bug bounty program to offer rewards for finding cases where third-party services exposed Facebook user access tokens.

Two months later, in November, Facebook also began offering rewards of up to $40,000 to researchers who find vulnerabilities that lead to account takeovers.

Facebook's worst privacy scandals and data disasters

Related cyber-security coverage:

Editorial standards