Posted on November 20, 2020 at 2:16 PM
Facebook’s cash rewards program for security researchers who disclose vulnerability has been going on for almost 10 years.
The social networking giant has been able to save a lot of headaches from these vulnerabilities if they were discovered by threat actors.
Although Facebook has always had some challenges, especially the privacy-related issues, one bright spot has been the bug bounty program. Two of the program’s biggest rewards have been paid this year.
One of such rewards is the $60,000 paid to a researcher for discovering a bug in Messenger. The vulnerability could have allowed a threat actor to call their victims and listen to their conversation before they even pick the call.
The vulnerability was discovered by a member of Google’s Project hunting team, Natalie Silnavovich. There is already a patch for the vulnerability. But an attacker could have exploited the vulnerability if they simultaneously call a target and send them a specially crafted invincible message to trigger the attack.
Once it goes through, the hacker can listen to audio from the target’s end for as long as the phone rings.
Facebook adjusted infrastructure to fix bug
While the most common thing to do after discovering a bug is to issue a patch, Facebook didn’t follow this route. The company rather adjusted its server-side infrastructure to fix the flaw for all users. Facebook also discovered that no one has exploited the bug, which is good news for users.
Silvanovich said Project Zero’s bug bounty reward wasn’t what motivated him to research and disclosed the vulnerability.
The bug bounty program is also one of the best and highest paying. For a typical less critical security vulnerability disclosure that would have fetched $5,000 when discovered in other companies, Facebook would have awarded triple that amount.
The seriousness of the bounty program makes it one of the hottest programs for security researchers. Facebook has made it possible for participants to stay very motivated in the bug bounty program. And such an approach has yielded excellent results for the company.
The amount of money paid to these researchers when they discover vulnerability cannot equate to the level of damage the vulnerability would have caused if found by unethical hackers.
For the past ten years since the program was launched, there have been over 1,300 reported vulnerabilities, with payouts of $11.7 million to date. Facebook has paid $1.98 million alone this year on over 1000 submissions.
The bug is similar to the vulnerability in Apple it patched last year called FaceTime group calls.
Facebook security engineering manager Dan Gurfinkel has spoken about the vulnerability. “What you would see is the attacker calling you and then the phone ringing and they could listen,” he said.
He also revealed it has been patched as well. “We quickly patched this before it was exploited,” Gurfinkel reiterated.
The vulnerability required reverse-engineering to exploit
It would have been difficult to exploit the vulnerability for some reason since the attacker and the target needs to be logged in Facebook for Android.
Although it’s similar to the FaceTime bug, a regular user could not have exploited the Facebook vulnerability without using a sophisticated technique. The attacker would have required technical reverse-engineering tools to deliver the special second message.
And for the attack to be successful, the caller and the target would need to be Facebook friends.
This makes it more difficult to get the right individual to call. But still that, with the billions of active Facebook users, it may be possible to get a target population that meets almost all the parameters.
Silvanovich said he started his investigations on the bug on Facebook after a similar FastTime bug was discovered last year. He also said other similar bugs exist in other video conferencing platforms.
Four vulnerabilities have already been discovered and patched as a result of Silvanovich’s research, which includes JioChat, Mocha, and Signal.
He said he is still looking out for other vulnerabilities that may exist in other applications.
Apart from Facebook, other companies in the tech industry like Apple have their bug bounty programs as well. The program has become a very effective means to keep their systems secure and free from any vulnerability that can be exploited.