Facebook Now Offers Bounties For Access Token Exposure

Facebook announced Monday it is expanding its bug bounty program to sniff out vulnerabilities related to access token exposure.

The social media giant will offer at least $500 for vulnerabilities found in third-party apps and websites that involve improper exposure of Facebook user access tokens.

Access tokens are credentials that identify the unique user and the user’s privileges, and enable the user to log into another app using Facebook. Users can decide what information the token and app can access as well as what actions can be taken.

“If exposed, a token can potentially be misused, based on the permissions set by the user,” said Dan Gurfinkel, security engineering manager at Facebook, in a Monday post. “We want researchers to have a clear channel to report these important issues, and we want to do our part to protect people’s information, even if the source of a bug is not in our direct control.”

A Facebook spokesperson told Threatpost that the program has no time limits and is not invite-only – anyone can participate.

The program has strict rules about how these types of bugs can be discovered – they must be discovered passively viewing the data sent to or from the researchers’ device while using the vulnerable app or website – so participants may not manipulate any request sent to the app or website from their devices.

That means that SQL injection (a code injection technique), XSS (cross-site scripting), open redirect, or permission-bypass vulnerabilities (such as Insecure Direct Object Reference flaws) are “strictly out of scope,” according to Facebook’s terms and conditions page.

Further, researchers can’t access data or use any access token from any Facebook account other than their own – and only third-party apps with at least 50,000 active users are within scope.

When submitting a report, “researchers should make sure to include a clear proof-of-concept demonstrating a vulnerability that could allow access or misuse of user access tokens associated with apps on the Facebook platform,” said Gurfinkel.

Typically vulnerabilities in third-party apps or websites that integrate with Facebook (including most pages on apps.facebook.com) are generally not within the scope of the company’s bug bounty program – but the discovery of bugs exposing Facebook user access tokens to unauthorized entities marks an interesting exception.

Bounty Hunters Eye Access Tokens

Bug bounty experts for their part applauded Facebook’s latest bounty efforts.

Edwin Foudil, a security researcher and bug bounty hunter who usually goes under the alias “EdOverflow,” said he often checks code bases and source-code repositories for access tokens.

“I am genuinely impressed by Facebook since targeting a third-party application where a user has given the application permission to use their access token would probably be more effective than attempting to target Facebook itself,” he told Threatpost. “It is rare to see a bug bounty program go out of its way to secure third-party applications too or at the very least acknowledge that applications which rely on access to Facebook are part of Facebook’s attack surface too.”

Amit Elazari, an expert in the policies and legalese surrounding bug bounty programs, told Threatpost that “this is an insightful move from Facebook recognizing that regulators (and users) are going to hold platforms more accountable for the lacking security and privacy practices of the third-parties app and website developers interacting with Facebook services.”

“Corporations are recognizing the price tag (reputational and regulatory) on these types of abuses, although originating from third-parties, is so high, they should tackle them, by all means necessary and as early as possible including by a crowd-sourced bounty system,” Elazari said. “This trend will continue and will possibly expand to AI fairness issues as well.”

Casey Ellis, founder and CTO of Bugcrowd, agreed, applauding Facebook for engaging the hacker community to help them stay ahead when it comes to this particular type of risk.

“This is Facebook continuing to push boundaries in their use of crowd-sourced security,” he told Threatpost in an email. “User access tokens can be as valuable to an attacker as username/password combinations, and vulnerable implementations for the Facebook authentication system by third-party services can provide an easy route for hackers to attack. There’s a lovely symmetry to engaging a crowd of good-faith hackers to assist a crowd of application developers, for the sake of protecting a crowd of users from a crowd of bad guys.”

Facebook And Privacy

Facebook’s bug bounty program, first started in 2011, prompts researchers to find vulnerabilities on the social media platform – but in the past has been expanded to focus more on data related issues as Facebook steps up its initiatives around privacy policies.

Facebook has been  struggling to crack down on data misuse and privacy issues on its platform, particularly since the Cambridge Analytica scandal that broke out in March.

Following that incident, the company in March announced it would expand its bug bounty program in an attempt to crackdown on data misuse by third-party app developers.

That program seems to be working in drawing in interested white hat hackers – including Inti De Ceukelaire, who published a post on his findings through the bug bounty program in May. Ceukelaire said that he found that 120 million users’ data was exposed on a quiz app owned by Nametests.com.

Despite the efforts of the security community, Gurfinkel stressed that app developers are still on the hook when it comes to data protection and privacy for the social media platform’s users. “We would like to emphasize that our bug bounty program does not replace the obligations on app developers to maintain appropriate technical and organizational measures to protect personal data.”