Web information

Meta wants researchers to help prevent user information from ending up on the web

The social media giant said on Wednesday it was expanding its bug bounty program – which offers rewards for helping identify and fix vulnerabilities in its apps – to include scratching, in a move Meta (FB) calls for a “first industry” to meet an “Internet-wide” challenge.

Scratching is generally an automated process of extracting large amounts of data from websites. Even when this data is publicly available online, such as a username, it can still be exploited by bad actors if aggregated with other personal information such as dates of birth, email addresses and the location. For this reason, many websites, including Meta’s platforms, say they prohibit or limit scratching, although these rules are not always followed.

The announcement follows a public relations debacle earlier this year in which the personal information of nearly half a billion Facebook users – including phone numbers, email addresses and relationship statuses – were posted on a website used by hackers. Facebook said at the time that the data was previously deleted in 2019 and the issue was resolved that year, but the release of the information sparked renewed concern about the practice.
Rachel Tobac, ethics hacker and CEO of SocialProof Security, told CNN in April that bad actors can use this data to carry out social engineering attacks, where they use knowledge of personal details to convince people to pass on. other more problematic information, such as credit card numbers.

“This is the data that cybercriminals spend time researching to perform social engineering attacks,” Tobac said. “But now they’re all in one place and easily accessible in this leak, making social engineering faster and easier.”

Meta says the inclusion of scratching is part of the natural expansion of its Bug Bounty program.

“Over time, we have looked for ways to improve the bug bounty program as a whole,” Dan Gurfinkel, Meta’s bug bounty program manager, said on a call with reporters. He noted that the company had also expanded the program to include data abuse following the Cambridge Analytica scandal in 2018.

“This is basically an iterative process. It is not in response to a particular case. Rather it is about ways to involve the whole security community to help us have more. hands on deck to solve a specific problem, ”he said.

The expanded bug bounty program will reward security researchers for reporting on methods of scraping, even public data, that could allow bad actors to bypass Meta’s scraping limitations and collect large amounts of data. “Our goal is to quickly identify and counter scenarios that could make scraping less costly for malicious actors to perform,” the company said in a statement. It will also reward reports of unprotected databases published online that contain at least 100,000 unique Facebook user records with personal or sensitive information. (Rewards start at $ 500, depending on the type of report.)

News from the expanded program is part of Meta’s year-end bug bounty report. The company said it has received more than 150,000 reports and awarded more than 7,800 bonuses (amounting to $ 14 million) over the past decade.

It also comes as Meta grapples with a wave of critical media coverage after a whistleblower leaked documents showing the company has long been aware of issues with its platforms, such as how Instagram can exacerbate youth mental health issues and Facebook challenges moderating non-English. linguistic content. Most recently, Instagram director Adam Mosseri faced tough questions from senators during a hearing last week on the platform’s impact on children.

Source link