Facebook increases rewards for its bug bounty program and facilitate bug submission
22.11.2018 securityaffairs
Social

Facebook updates its bug bounty program, it is increasing the overall rewards for security flaws that could be exploited to take over accounts.
Facebook announced an important novelty for its bug bounty, the social media giant is going to pay out as much as $40,000 for vulnerabilities that can be exploited to hack into accounts without user interaction.

The Facebook bug bounty program will cover also other companies owned by the social network giant, including Instagram, WhatsApp, and Oculus.

Vulnerabilities that require a minimum user interaction for the exploitation will be paid out $25,000.

“The researchers who find vulnerabilities that can lead to a full account takeover, including access tokens leakage or the ability to access users’ valid sessions, will be rewarded an average bounty of:

* $40,000 if user interaction is not required at all, or
* $25,000 if minimum user interaction is required.” reads the post published by Facebook.

“By increasing the award for account takeover vulnerabilities and decreasing the technical overhead necessary to be eligible for bug bounty, we hope to encourage an even larger number of high quality submissions from our existing and new white hat researchers to help us secure over 2 billion users.”

The bug bounty programs are becoming crucial for companies to assess their products and infrastructure and to avoid data breaches.

In September a vulnerability in the ‘View As’ feature allowed hackers to steal access tokens that could be used by attackers to hijack accounts and access to third-party apps that used Facebook as an authentication platform.

Facebook Data Breach

Facebook revealed that hackers accessed data of 29 Million users, a number that is less than initially thought of 50 million.

Attackers accessed the names, phone numbers and email addresses of 15 million users, while for another 14 million users hackers also accessed usernames, profile details (i.e. gender, relationship status, hometown, birthdate, city, and devices), and their 15 most recent searches.

For the remaining one million users affected by the Facebook Data Breach whose “access tokens” were stolen, no data was accessed.

The hackers started on September 14 with 400,000 “seed accounts” they were controlling directly then they expanded their activity to their networks.

Facebook aims at encouraging white hat hackers in reporting critical flaws in the social media platform by increasing the awards for bug bounty program and facilitate the process to report account hacking issued.

“By increasing the award for account takeover vulnerabilities and decreasing the technical overhead necessary to be eligible for bug bounty, we hope to encourage an even larger number of high quality submissions from our existing and new white hat researchers to help us secure over 2 billion users.” concludes Facebook.