Facebook fixes critical flaw, cites as example of bounty’s success

Facebook has plugged a vulnerability that could have been exploited by electronic miscreants to hijack the accounts of its members with multiple email addresses associated with them.

The vulnerability, discovered by Dan Melamed in June, allows intruders to gain control of a Facebook member’s account after conning them to click on a link that adds an email address to their account without the member’s knowledge.

“The hacker can then reset the victim’s password using the newly added email address, [t]hus allowing the attacker to take complete control over the Facebook account,” Melamed explained in his personal blog.

Melamed received $1,500 from Facebook for finding the vulnerability. “We worked with this security researcher to evaluate the scope of this issue and quickly address it,” a Facebook spokesman, Michael Kirkland, said in an email.

“The issue has been fixed,” he said, “and we have no evidence that it was exploited.”

“We’ve paid out a bounty to this researcher for his contribution to Facebook security, and we want to thank him for reporting this issue responsibly,” he added. “This collaboration is a great example of how well our bug bounty program can work.”

Facebook’s bounty program encourages bug finders to follow an ethical path when they uncover a vulnerability, said Graham Cluley, a security analyst.

“Facebook is an attractive target for cyber criminals, spies and identity thieves because of the wide proportion of the Internet that uses it,” Cluley said. “Anything which encourages vulnerability researchers to report their findings to the social network, rather than disclose them to the public at large, or sell them to online criminals has to be good news.”

Melamed’s ethical actions comes on the heels of a New York Times report last weekend about more and more flaw ferrets seeking the highest bidder for their findings without regard to how those findings might be used.

[Also see: Bug bounty programs provide strong value for vendors, study finds]

“The truth is, sadly, that bounty programs are never likely to be able to afford as much in payment as the criminal underground or intelligence agencies interested in spying on social networking users,” Cluley said. “We continue to be reliant on the ethics of the researcher themselves, who could perhaps earn much more money if they turned to the ‘dark side.'”

Although bounties paid by the likes of Facebook, Google and Microsoft will never match those of spy agencies and byte bandits, they have a meaningful role in the hacker ecosystem, said Michael Sutton, vice president of security research for Zscaler and a former operator of a bug bounty program.

“They don’t need to match the money of those other alternatives,” Sutton told CSOonline. “A lot of bug hunters are very comfortable in their minds doing the right thing, getting the vulnerability to the ultimate party that’s impacted.”

Bounty programs can buy goodwill with bug hunters with very little downside, said Todd Feinman, founder, president and CEO of Identity Finder. “Bounty programs keep honest people honest,” Feinman said. “That’s important because if people can see that by doing the right thing, they can make some money, they’re less inclined to be unethical.”

Although bounty programs have the potential to bite the hand that feeds them, that hasn’t been the case, he added. “They have not resulted, that I’m aware, in people finding vulnerabilities and selling them on the black market instead of to the companies,” he said.

Over the last 10 years, the bug reporting landscape has changed significantly, Sutton said Ten years ago, no software vendor had a bug bounty program; now it’s common.

“Yes, there are more vulnerabilities being bought and sold for offensive purposes, but I don’t think that’s indicative of a shift to the ‘dark side,'” Sutton said. “I think it’s indicative of more overall activity.”