A security researcher who discovered vulnerabilities in an Instagram server apparently traded barbs this week with Instagram parent Facebook’s chief security officer over whether his explorations of the system’s weaknesses went beyond ethical limits.
Researcher Wesley Wineberg said in a blog post that, despite efforts to work within a Facebook bug bounty program that allows outside security researchers to investigate holes in Facebook systems, the company threatened him with legal action and even contacted the CEO of a company where he does contract work.
“If the company I worked for was not as understanding of security research I could have easily lost my job over this,” Wineberg wrote.
In a Thursday post of his own, Facebook chief security officer Alex Stamos wrote that some action Wineberg took in downloading data accessible through the vulnerabilities “was not ethical behavior” and that contacting the company was essentially a last resort effort to make sure Wineberg didn’t release potentially sensitive data.
“There was direct communication with Wes where we specifically asked him not to do this,” Stamos wrote in a follow-up comment. “Finding somebody responsible who could mediate was the least aggressive of several possible next steps.”
The episode seemed to highlight the potential complexities of bug bounty programs, the increasingly popular arrangements where tech companies offer rewards to outside researchers who discover and report security holes in their systems. Facebook alone has paid out millions of dollars through its program since 2011, and bug bounty programs are run by an industry-spanning list of companies from Google to United Airlines.
Wineberg—who has apparently successfully participated in other companies’ bug bounty programs—wrote that he sought to comply with Facebook’s bug bounty policies, which require participants to “make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.”
But Facebook says that his explorations into company systems and downloads of proprietary data went beyond the program’s rules.
“We are strong advocates of the security researcher community and have built positive relationships with thousands of people through our bug bounty program,” a Facebook spokesperson wrote in an email to Fast Company. “These interactions must include trust, however, and that includes reporting the details of bugs that are found and not using them to access private information in an unauthorized manner. In this case, the researcher intentionally withheld bugs and information from our team and went far beyond the guidelines of our program to pull private, non-user data from internal systems.”
According to accounts by both Wineberg and Stamos, Wineberg initially discovered an Instagram server was running a Web-accessible administrative console with vulnerabilities that could let hackers run arbitrary commands on the machine. He reported the danger to Facebook, which ultimately offered him a $2,500 reward through the bounty program.
“Up to this point, everything Wes had done was appropriate, ethical, and in the scope of our program,” wrote Stamos.
After reporting the security hole, Wineberg, who wasn’t immediately available for comment, wrote that he used the access it provided to search for additional weaknesses in the system. He found credentials for a database on the server and used those credentials to download usernames and encrypted passwords for a Web-accessible administrative tool running on the machine.
Using an open source password-cracking program on his own computer, Wineberg discovered that several of the passwords were “extremely weak”—some were the same as the account username, and some were common default passwords like “password” and “changeme.” Wineberg reported the weak passwords to Facebook as well.
He also soon discovered a configuration file with access credentials for an account on Amazon’s Simple Storage Service, which he used to access what appeared to be a set of “deployment scripts” stored on the Amazon cloud system. He also downloaded an older stored version of the same data, which contained additional credentials letting him access other S3 repositories, known as buckets.
“There appeared to be a lot of potentially sensitive content, but a lot of it was just more versioned tar archives of tools and web applications,” he wrote. “I queued up several buckets to download, and went to bed for the night.”
Wineberg wrote that he avoided downloading what appeared to be user data, in an effort to comply with the bounty program’s privacy rules, but that he accessed a variety of apparently sensitive company data, ranging from Instagram source code to credentials for additional cloud services.
“To say that I had gained access to basically all of Instagram’s secret key material would probably be a fair statement,” he wrote. “With the keys I obtained, I could now easily impersonate Instagram, or impersonate any valid user or staff member.”
According to his timeline, Wineberg didn’t immediately report the files he was able to access with the S3 credentials. While he discovered and tested the credentials on Oct. 24, he didn’t file a related report until Dec. 1– only after he says Facebook rejected his bug bounty claim relating to the weak passwords, citing a breach of user privacy.
“As a researcher on the Facebook program, the expectation is that you report a vulnerability as soon as you find it,” Wineberg says Facebook told him in one email. “We discourage escalating or trying to escalate access as doing so might make your report ineligible for a bounty.”
Wineberg argued those expectations aren’t in Facebook’s published bug bounty rules. Still, the rules do similarly ask researchers to “let us know right away” when a bug is found and “not interact with other accounts without the consent of their owners”—phrasing which seems designed with end user accounts in mind but might also apply to the employee accounts with weak passwords and Facebook’s own S3 accounts.
When Facebook filed a third report, with the leaked S3 credentials, Facebook appears to have taken it as a sign he was continuing to disregard their guidelines.
“The downloading of files from S3 was an unnecessary exfiltration and a violation of a warning we explicitly gave him,” Stamos wrote. “I really didn’t want him setting a precedent that you could download an arbitrary amount of data and call it legit.”
Wineberg has since said he’s deleted the data, according to security publication Threatpost, and Facebook says it’s changed the S3 credentials.
One place where Wineberg and Stamos seem to agree: that the incident shouldn’t have a chilling effect on mutually beneficial relationship bug bounties have brought to security researchers and tech companies.
Facebook says it will take steps to respond to researchers’ reports quicker and make its guidelines more explicit.
“We successfully handle hundreds of reports per day, but I don’t think we triaged the reports on this issue quickly enough,” Stamos wrote. “We will also look at making our policies more explicit and will be working to make sure we are clearer about what we consider ethical behavior.”