A security researcher who uncovered a major Instagram hole has gotten into a tiff with Facebook and opened up a can of worms about the boundaries of "bug bounty" programs. Wesley Wineberg is a well-known bug hunter, having received $24,000 from Microsoft for stopping a nasty Outlook worm. He then turned to Instagram (via Facebook's bug bounty program), after receiving a tip about a potential vulnerability on an exposed Amazon server. After confirming the bug, he decided to dig a bit deeper, and that's where things went wrong.
Wineberg eventually struck gold via a hole that could allow hackers to run code remotely, and submitted a ticket to the bug bounty team. Probing further, he managed to crack some weak employee passwords, including "changeme" and "instagram," and submitted another report. Using that info, he obtained a key that allowed him to access server files.
To demonstrate the extent of the vulnerability, he downloaded several "buckets" of non-user data from Instagram's Amazon servers. The data, he discovered, gave him access to source code and secret authentication codes -- the so-called keys to the kingdom. "To say that I had gained access to basically all of Instagram's secret key material would probably be a fair statement," he said in a blog post. Furthermore, he told Forbes he had access to the servers for over a month before the bug was patched. "My concern is that someone else has gained access to [the data]. What are the chances someone else has found this?"
To say that I had gained access to basically all of Instagram's secret key material would probably be a fair statement
Having paid Wineberg $2,500 for discovering the earlier bug, Facebook was far from grateful for the escalation, however. It declined to pay him for the later bug submissions, saying he had violated the terms of its bug bounty program. In a Facebook post, CSO Alex Stamos wrote that, "intentional exfiltration of data is not authorized by our bug bounty program, is not useful in understanding and addressing the core issue, and was not ethical behavior by Wes." (Facebook added that "this bug has been fixed, the affected keys have been rotated, and we have no evidence that Wes or anybody else accessed any user data.")
Stamos went on to accuse Wineberg of being ungrateful for the initial reward, expressed surprise that he planned to write about it, and most severely, contacted his employer, Synack. "It was reasonable to believe that Wes was operating on behalf Synack ... [because] he has interacted with us using a synack.com email address and he has written blog posts that are used by Synack for marketing purposes," Stamos said. (Wineberg says all his correspondence with Facebook was via his personal email until after Facebook contacted Synack.)
We couldn't allow Wes to set a precedent that anybody can exfiltrate unnecessary amounts of data and call it a part of legitimate bug research.
According to Stamos' article, he told Synack's CEO that "we couldn't allow Wes to set a precedent that anybody can exfiltrate unnecessary amounts of data and call it a part of legitimate bug research, and that I wanted to keep this out of the hands of the lawyers on both sides." He added that he didn't threaten legal action or ask for Wineberg to be fired, but "I did say that Wes's behavior reflected poorly on him and Synack."
For his part, Wineberg said that he was acting on his own behalf and that Synack, which employs him on a contract-only basis, had approved his private bug bounty work. He believed that Facebook's terms-of-service for its white hat bounty program didn't specifically exclude his actions, and that some companies, like Tumblr, are more likely to pay for bugs if researchers dig deeper to show "impact." On the other hand, Microsoft, for one, doesn't want companies to move beyond the basic proof-of-concept, but spells that out clearly in its rules.
In his blog, Wineberg provided a transcript of his email conversations with Facebook, which differ from Facebook's account -- he asked for permission to write about the bugs and didn't complain about the payout, for instance. He added that "without contacting me at all, Facebook had gone directly for my employer ... if the company was not as understanding of security research, I could have easily lost my job over this." While he agreed that Facebook didn't threaten legal action directly, he called Facebook's mention of lawyers "intimidation."
Facebook's Stamos -- who has a sterling reputation as a pioneer in the security community -- says he's "proud that we run one of the most successful bug bounty programs" and that Facebook has paid out over $4.3 million so far. According to Forbes, he previously tweeted that "I will never spend budget on a security vendor who threatens researchers." He admitted that "I don't think we triaged the reports on this issue quickly enough," and said "we will also look at making our policies more explicit and will be working to make sure we are clearer about what we consider ethical behavior."
Many Reddit commenters said that Wineberg overstepped his bounds, since weak employee passwords are not code bugs and a lack of clear rules doesn't give researchers carte blanche to hack sites. Furthermore, many security researchers believe that actually dumping data, even if it's not sensitive user data, is a huge no-no.
However, others think that Wineberg was right to highlight the potential severity of the hole and that Stamos' response was overly harsh. AVG security specialist Tony Anscombe told Engadget that his company also runs a bug bounty program with similar rules to Facebook. "If somebody came to us and said, 'I found something outside the scope of [your rules],' would we get upset? As long as they've done it in a responsible fashion, by disclosing it to us and not publishing the vulnerability, then of course we would talk to them. And I'd like to think we'd be friendly with them." He added that the bounty programs are there for a reason. "They're there to protect end-users."