Facebook fixes critical flaw, cites as example of bounty's success

Facebook has plugged a vulnerability that could have been exploited by electronic miscreants to hijack the accounts of its members with multiple email addresses associated with them.

The vulnerability, discovered by Dan Melamed in June, allows intruders to gain control of a Facebook member's account after conning them to click on a link that adds an email address to their account without the member's knowledge.

"The hacker can then reset the victim's password using the newly added email address, [t]hus allowing the attacker to take complete control over the Facebook account," Melamed explained in his personal blog.

Melamed received $1,500 from Facebook for finding the vulnerability. "We worked with this security researcher to evaluate the scope of this issue and quickly address it," a Facebook spokesman, Michael Kirkland, said in an email.

"The issue has been fixed," he said, "and we have no evidence that it was exploited."

"We've paid out a bounty to this researcher for his contribution to Facebook security, and we want to thank him for reporting this issue responsibly," he added. "This collaboration is a great example of how well our bug bounty program can work."

Facebook's bounty program encourages bug finders to follow an ethical path when they uncover a vulnerability, said Graham Cluley, a security analyst.

"Facebook is an attractive target for cyber criminals, spies and identity thieves because of the wide proportion of the Internet that uses it," Cluley said. "Anything which encourages vulnerability researchers to report their findings to the social network, rather than disclose them to the public at large, or sell them to online criminals has to be good news."

Melamed's ethical actions comes on the heels of a New York Times report last weekend about more and more flaw ferrets seeking the highest bidder for their findings without regard to how those findings might be used.

[Also see: Bug bounty programs provide strong value for vendors, study finds]

"The truth is, sadly, that bounty programs are never likely to be able to afford as much in payment as the criminal underground or intelligence agencies interested in spying on social networking users," Cluley said. "We continue to be reliant on the ethics of the researcher themselves, who could perhaps earn much more money if they turned to the 'dark side.'"

Although bounties paid by the likes of Facebook, Google and Microsoft will never match those of spy agencies and byte bandits, they have a meaningful role in the hacker ecosystem, said Michael Sutton, vice president of security research for Zscaler and a former operator of a bug bounty program.

"They don't need to match the money of those other alternatives," Sutton told CSOonline. "A lot of bug hunters are very comfortable in their minds doing the right thing, getting the vulnerability to the ultimate party that's impacted."

Bounty programs can buy goodwill with bug hunters with very little downside, said Todd Feinman, founder, president and CEO of Identity Finder. "Bounty programs keep honest people honest," Feinman said. "That's important because if people can see that by doing the right thing, they can make some money, they're less inclined to be unethical."

Although bounty programs have the potential to bite the hand that feeds them, that hasn't been the case, he added. "They have not resulted, that I'm aware, in people finding vulnerabilities and selling them on the black market instead of to the companies," he said.

Over the last 10 years, the bug reporting landscape has changed significantly, Sutton said Ten years ago, no software vendor had a bug bounty program; now it's common.

"Yes, there are more vulnerabilities being bought and sold for offensive purposes, but I don't think that's indicative of a shift to the 'dark side,'" Sutton said. "I think it's indicative of more overall activity."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags bounty programapplicationsData Protection | Malwarelegalsoftwaredata protectioncybercrimeFacebook

More about FacebookGoogleMicrosoftzScaler

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts