Facebook announced today that it is expanding its bug bounty program as the company faces increasing criticism for past vulnerabilities in third-party apps that access Facebook user data.
The social media giant will now dole out rewards for developers who report vulnerabilities within user access tokens — the feature that allow users to sign into third-party apps by logging into Facebook, and decide what Facebook information the app can access. If that access token falls into hackers’ hands, they could then gain access to data that the user didn’t intend to share with anyone besides that app.
In a blog post announcing the change, security engineer Dan Gurfinkel said Facebook will only consider reports “if the bug is discovered by passively viewing the data sent to or from your device while using the vulnerable app or website.” So researchers can’t create an open redirect, for example, to bypass authentication requirements.
In their report, researchers have to submit a proof-of-concept to show how the vulnerability could allow hackers to access or misuse user data. Facebook will award a minimum of $500 for reports, and will only look at vulnerabilities with apps that have at least 50,000 active users.
“If exposed, a token can potentially be misused, based on the permissions set by the user,” Gurfinkel wrote. “We want researchers to have a clear channel to report these important issues, and we want to do our part to protect people’s information, even if the source of a bug is not in our direct control.”
Large tech companies in general haven’t traditionally considered third-party apps to be within the scope of their bug bounty reports. But Facebook is still dealing with user backlash from allowing third-party apps for years to access large amounts of user data with virtually no oversight, some of which then violated Facebook’s developer policies by giving other parties access to that data — the most notable example being Cambridge Analytica.
In recent months, some apps, such as Bumble and Coffee Meets Bagel, have also given users additional login options outside of Facebook authentication — responding to what they say is increasing user concern about using Facebook login. So it’s critical that Facebook outlines how it will monitor third-party apps in order to restore user trust.
The company also recently completed a revised app review process meant to weed out third-party apps that had access to more user data than they needed.