A security researcher’s discovery and publicizing of Instagram security flaws has lead to a war of words with Facebook. As reported by industry publication Threatpost, the researcher accused Facebook of hinting at legal and criminal action after he posted on a blog about security vulnerabilities on the system–and that he cracked employee accounts and passwords in the process.
Wesley Wineberg, a contractor for security firm Synack, posted on his blog about the security flaws–and went into detail about what he allegedly encountered. Wineberg is one of many researchers who participate in Facebook’s Bug Bounty Program, which offers cash rewards for finding security flaws in Facebook and affiliated services in exchange for notifying the company. Bug bounties are a common practice within the tech industry.
However, the details of the program can be opaque at times, and it appears Wineberg fell afoul of Facebook in the process. Alex Stamos, Facebook’s chief security officer, criticized Wineberg in a blog post on “Bug Bounty Ethics.” Stamos also denied threatening Wineberg with legal action.
While Facebook and Instagram quickly fixed the security hole, and the specifics of the case become complicated very quickly, it’s a rare public look at a surprisingly widespread practice. Facebook, Microsoft, Amazon, and many other companies rely on outside security researchers to discover flaws their internal security culture may miss. But clashes are sure to come up in the process–and, as in this case, they turn into a Rashomon type situation where two parties have very different interpretations of the same event.
Wineberg appears to have incurred Facebook’s wrath for submitting a report about some of the Instagram employee accounts he cracked during the project; those accounts had passwords such as “password,” “changeme,” and “instagram.”