Scratching is generally an automated process of extracting large amounts of data from websites. Even when this data is publicly available online, such as a username, it can still be exploited by bad actors if aggregated with other personal information such as dates of birth, email addresses and the location. For this reason, many websites, including Meta’s platforms, say they prohibit or limit scratching, although these rules are not always followed.
“This is the data that cybercriminals spend time researching to perform social engineering attacks,” Tobac said. “But now they’re all in one place and easily accessible in this leak, making social engineering faster and easier.”
Meta says the inclusion of scratching is part of the natural expansion of its Bug Bounty program.
“This is basically an iterative process. It is not in response to a particular case. Rather it is about ways to involve the whole security community to help us have more. hands on deck to solve a specific problem, ”he said.
The expanded bug bounty program will reward security researchers for reporting on methods of scraping, even public data, that could allow bad actors to bypass Meta’s scraping limitations and collect large amounts of data. “Our goal is to quickly identify and counter scenarios that could make scraping less costly for malicious actors to perform,” the company said in a statement. It will also reward reports of unprotected databases published online that contain at least 100,000 unique Facebook user records with personal or sensitive information. (Rewards start at $ 500, depending on the type of report.)
News from the expanded program is part of Meta’s year-end bug bounty report. The company said it has received more than 150,000 reports and awarded more than 7,800 bonuses (amounting to $ 14 million) over the past decade.