Facebook is expanding its bug bounty program to include vulnerabilities in third-party apps and websites that involve improper exposure of Facebook user access tokens.
What’s in scope?
“Access tokens allow people to log into another app using Facebook and are uniquely generated for the specific person and app,” security engineer Dan Gurfinkel noted.
“If exposed, a token can potentially be misused, based on the permissions set by the user. We want researchers to have a clear channel to report these important issues, and we want to do our part to protect people’s information, even if the source of a bug is not in our direct control.”
Facebook is asking bug hunters to include a proof-of-concept demonstrating the reported vulnerability, but Gurfinkel warns that they will only only accept reports if the bug is discovered by passively viewing the data sent to or from one’s device while using the vulnerable app or website.
“You are not permitted to manipulate any request sent to the app or website from your device, or otherwise interfere with the ordinary functioning of the app or website in connection with submitting your report. For example, SQLi, XSS, open redirect, or permission-bypass vulnerabilities (such as IDOR) are strictly out of scope,” he pointed out.
In the terms of service, the company also noted that the bug hunter mustn’t access data or use any access token from any Facebook account other than your own, and that only third-party apps with at least 50,000 active users are within scope.
The social media giant hasn’t put an upper limit to the reward amount it can give out for reports about such bugs, but the minimum has been set at $500 per vulnerable app or website.
Working with third parties
Once the existence of a access token leak is confirmed, Facebook will loop in the app or website developer so they can start working on a fix immediately.
“Apps that do not comply with our request promptly will be suspended from our platform until the issue has been addressed and a security review has been conducted. We will also automatically revoke access tokens that could have been compromised to prevent potential misuse, and alert those we believe to be affected, as appropriate,” Gurfinkel added.