A security researcher who discovered vulnerabilities in an Instagram server
apparently traded barbs this week with Instagram parent Facebook’s
chief security officer over whether his explorations of the system’s
weaknesses went beyond ethical limits.
Researcher Wesley Wineberg said in a blog post that, despite efforts to work within a Facebook bug bounty program
that allows outside security researchers to investigate holes in
Facebook systems, the company threatened him with legal action and even
contacted the CEO of a company where he does contract work.
"If the company I worked for was not as understanding of security
research I could have easily lost my job over this," Wineberg wrote.
In a Thursday post of his own,
Facebook chief security officer Alex Stamos wrote that some action
Wineberg took in downloading data accessible through the vulnerabilities
"was not ethical behavior" and that contacting the company was
essentially a last resort effort to make sure Wineberg didn't release
potentially sensitive data.
"There was direct communication with Wes where we specifically asked
him not to do this," Stamos wrote in a follow-up comment. "Finding
somebody responsible who could mediate was the least aggressive of
several possible next steps."
The episode seemed to highlight the potential complexities of bug
bounty programs, the increasingly popular arrangements where tech
companies offer rewards to outside researchers who discover and report
security holes in their systems. Facebook alone has paid out millions of dollars through its program since 2011, and bug bounty programs are run by an industry-spanning list of companies from Google to United Airlines.
Wineberg—who has apparently successfully participated in other companies’ bug bounty programs—wrote that he sought to comply with Facebook’s bug bounty policies,
which require participants to "make a good faith effort to avoid
privacy violations, destruction of data, and interruption or degradation
of our service."
But Facebook says that his explorations into company systems and downloads of proprietary data went beyond the program’s rules.
"We are strong advocates of the security researcher community and
have built positive relationships with thousands of people through our
bug bounty program," a Facebook spokesperson wrote in an email to Fast Company.
"These interactions must include trust, however, and that includes
reporting the details of bugs that are found and not using them to
access private information in an unauthorized manner. In this case, the
researcher intentionally withheld bugs and information from our team and
went far beyond the guidelines of our program to pull private, non-user
data from internal systems."
According to accounts by both Wineberg and Stamos, Wineberg initially
discovered an Instagram server was running a Web-accessible
administrative console with vulnerabilities that could let hackers run
arbitrary commands on the machine. He reported the danger to Facebook,
which ultimately offered him a $2,500 reward through the bounty program.
"Up to this point, everything Wes had done was appropriate, ethical, and in the scope of our program," wrote Stamos.
After reporting the security hole, Wineberg, who wasn’t immediately
available for comment, wrote that he used the access it provided to
search for additional weaknesses in the system. He found credentials for
a database on the server and used those credentials to download
usernames and encrypted passwords for a Web-accessible administrative
tool running on the machine.
Using an open source password-cracking program on his own computer,
Wineberg discovered that several of the passwords were "extremely
weak"—some were the same as the account username, and some were common
default passwords like "password" and "changeme." Wineberg reported the
weak passwords to Facebook as well.
He also soon discovered a configuration file with access credentials
for an account on Amazon’s Simple Storage Service, which he used to
access what appeared to be a set of "deployment scripts" stored on the
Amazon cloud system. He also downloaded an older stored version of the
same data, which contained additional credentials letting him access
other S3 repositories, known as buckets.
"There appeared to be a lot of potentially sensitive content, but a
lot of it was just more versioned tar archives of tools and web
applications," he wrote. "I queued up several buckets to download, and
went to bed for the night."
Wineberg wrote that he avoided downloading what appeared to be user
data, in an effort to comply with the bounty program’s privacy rules,
but that he accessed a variety of apparently sensitive company data,
ranging from Instagram source code to credentials for additional cloud
services.
"To say that I had gained access to basically all of Instagram's
secret key material would probably be a fair statement," he wrote. "With
the keys I obtained, I could now easily impersonate Instagram, or
impersonate any valid user or staff member."
According to his timeline, Wineberg didn’t immediately report the
files he was able to access with the S3 credentials. While he discovered
and tested the credentials on Oct. 24, he didn’t file a related report
until Dec. 1— only after he says Facebook rejected his bug bounty claim
relating to the weak passwords, citing a breach of user privacy.
"As a researcher on the Facebook program, the expectation is that you
report a vulnerability as soon as you find it," Wineberg says Facebook
told him in one email. "We discourage escalating or trying to escalate
access as doing so might make your report ineligible for a bounty."
Wineberg argued those expectations aren’t in Facebook’s published bug
bounty rules. Still, the rules do similarly ask researchers to "let us
know right away" when a bug is found and "not interact with other
accounts without the consent of their owners"—phrasing which seems
designed with end user accounts in mind but might also apply to the
employee accounts with weak passwords and Facebook’s own S3 accounts.
When Facebook filed a third report, with the leaked S3 credentials,
Facebook appears to have taken it as a sign he was continuing to
disregard their guidelines.
"The downloading of files from S3 was an unnecessary exfiltration and
a violation of a warning we explicitly gave him," Stamos wrote. "I
really didn't want him setting a precedent that you could download an
arbitrary amount of data and call it legit."
Wineberg has since said he’s deleted the data, according to security publication Threatpost, and Facebook says it’s changed the S3 credentials.
One place where Wineberg and Stamos seem to agree: that the incident
shouldn’t have a chilling effect on mutually beneficial relationship bug
bounties have brought to security researchers and tech companies.
Facebook says it will take steps to respond to researchers’ reports quicker and make its guidelines more explicit.
"We successfully handle hundreds of reports per day, but I don't
think we triaged the reports on this issue quickly enough," Stamos
wrote. "We will also look at making our policies more explicit and will
be working to make sure we are clearer about what we consider ethical
behavior."
Post Credit: http://www.fastcompany.com
Post a Comment