Facebook to pay researchers to hunt down Instagram apps that abuse user data

Facebook expands Data Abuse Bounty program to Instagram apps.
Written by Catalin Cimpanu, Contributor

Facebook announced today plans to expand its bug bounty program and accept reports about third-party apps that access and misuse Instagram user data.

Today's announcement is an expansion of Facebook's Data Abuse Bounty program to include reports about Instagram apps, in addition to the reports the company was accepting about Facebook data misuse.

Facebook launched the Data Abuse Bounty program in April 2018, after the Cambridge Analytica scandal, during which Cambridge Analytica employees abused Facebook's platform to harvest data about Facebook users, in violation of Facebook's developer policies.

Through the Data Abuse Bounty program, Facebook offered to pay monetary rewards to security researchers who hunted similar cases of Facebook apps illegally harvesting or misusing Facebook user data.

Starting today, the same offer is also valid for Instagram apps, and security researchers are free to poke around Instagram third-party apps and see if they're collecting more data than they are disclosing, or for which they have not obtained consent.

If they find such cases, they can file a report with Facebook's security team, which will investigate each case, and pay out a bounty if the report is both valid and well-written. Per the program's existing rules, rewards can go up to $40,000 per report.

Historically, the program has been quite successful in tackling app abuse on the Facebook platform. For example, last February, Nightwatch Security found that a third-party Android application with Facebook API access was copying and storing data outside of the social network in an insecure manner.

Instagram's Cambridge Analytica moment

Facebook's decision to include Instagram apps in its Data Abuse Bounty program comes after the company banned Instagram advertising partner Hyp3r at the start of the month.

A Business Insider investigation found that Hyp3r secretly harvested and stored millions of Instagram users' stories, locations, biographies, images, and interests in order to build up detailed profiles, a practice against Instagram's rules.

"Putting people first is one of Instagram's most important values, and keeping our service secure is an essential part of the work we do to serve our community," Nam Nguyen, Instagram Head of Engineering, told ZDNet.

"Expanding and building on the Facebook bug bounty program is a key development in our ongoing security efforts, and we are grateful to the wider security community for all they do to help keep our platforms safe," Nguyen added.

Facebook has been recently trying to fix all the problems with external developers abusing its platforms and features. Earlier this month, the social network sued LionMobi and JediMobi, two Android app developers, for ad fraud perpetrated against Facebook's Audience Network advertising platform.

Invite-only bug bounty program for Instagram Checkout

In addition to extending the Data Abuse Bounty program to Instagram, Facebook also announced a second bug bounty program targeting another Instagram feature.

The social network said it plans to run an invite-only bug bounty program with selected security researchers who will be tasked in finding bugs in Checkout, an Instagram feature announced in March that allows users to purchase products directly on Instagram without leaving the app.

"The researchers who are helping us test this feature have previously submitted high-quality research to our bug bounty program," Facebook said.

"As part of their participation, the researchers will receive early access to the feature and receive bounty awards for eligible reports."

Facebook's worst privacy scandals and data disasters

Related cybersecurity coverage:

Editorial standards