Instagram Hack Reveals Flaws In Facebook’s Security System

Facebook's security system

Researcher Wesley Wineberg has been shaking the higher echelons of social media giants like Instagram and its parent company Facebook, when he identified major privacy and security flaws.

However, he was not met with appreciation but harsh opposition from Facebook with threats of litigation and also indirect influence to back off from his adventurous investigations.  During the course of this tussle Facebook is believed to have reached out to the contractual employers of Wesley as well to influence him.

Wesley on the other hand maintains that he was working within the framework and terms of reference of the Facebook bug bounty program. This program allows independent outside researchers to identify potential security breaches and system flaws to improve the overall security for the end user and carry considerable monetary rewards.

Fresh from winning the Microsoft bug bounty program, Wesley was pointed into the direction of Instagram security concern by a friend. On further scrutiny, Wesley uncovered not just the tip of the iceberg but the iceberg itself submerged within the data was a sea of user privacy data.

Facebook on the other hand still maintains that Wesley withheld information. The Chief Security Officer of Facebook, Alex Stamos contacted Wesley through the contractual employer Synack’s C.E.O. Jay Kaplan.

“Alex informed my employer (as far as I am aware) that I had found a vulnerability, and had used it to access sensitive data. He then explained that the vulnerability I found was trivial and of little value, and at the same time said that my reporting and handling of the vulnerability submission had caused huge concern at Facebook,” Wineberg said. “Alex then stated that he did not want to have to get Facebook’s legal team involved, but that he wasn’t sure if this was something he needed to go to law enforcement over.” (Source: SECURITYWEEK)

Facebook further maintains that there are ethical questions involved here and Wesley should have come to Facebook first, instead of going to the public. It is quite apparent that even the largest and often thought of as the most secured companies like Facebook can have serious security flaws. It seems that they too are operating from the wrong side of the security fence.

Instead of launching a tirade and discouraging security researchers they should be promoting them. They tend to forget the online adage for protecting end users.

Provide fool proof security to the end user and then provide some more security.

It seems that Facebook is not prepared to address the elephant in the room. Why to go after someone who is trying to improve you, instead why not appreciate and bring in the identifier or security researcher to make your security system even better.

It seems that Facebook is trying to hide behind technical jargon and legalese to escape something that clearly identifies the security flaws in their system. As the following statement clearly indicates the veil that the social media giant is drawing over the ugly flaw.

Facebook has provided SecurityWeek the following statement:

“We are strong advocates of the security researcher community and have built positive relationships with thousands of people through our bug bounty program. These interactions must include trust, however, and that includes reporting the details of bugs that are found and not using them to access private information in an unauthorized manner. In this case, the researcher intentionally withheld bugs and information from our team and went far beyond the guidelines of our program to pull private, non-user data from internal systems.

We paid him for his initial bug report based on the quality, even though he was not the first to report it, but we didn’t pay for the subsequent information that he had withheld. At no point did we say he could not publish his findings―we asked that he refrain from disclosing the non-public information he accessed in violation of our program guidelines. We remain firmly committed to paying for high quality research and helping the community learn from researchers’ hard work.” (Source: SECURITYWEEK)

Synack has provided the following statement, noting that Wineberg conducted the research in his free time:

“Synack values customer privacy and always responsibly and confidentially reports vulnerabilities directly to its customers. Facebook is not a Synack customer. Wes Wineberg, a well-respected independent contractor, was not acting on behalf of Synack. Synack believes ethical researchers across the world should be empowered to find, and responsibly disclose, vulnerabilities so that consumers and users are more secure.” (Source: SECURITYWEEK)

Everyone is trying to absolve themselves but Synack does point out to the ethical and moral responsibility of the security researcher in their statement and it would be wrong not to lend weight to this point.

Security of the end user is of primal importance, rest is secondary.

The lesson clearly here is three pronged and should be at the heart of security research.

  • Research for security breaches with freedom
  • Once identified, make sure the identified system resolves
  • If not, it is a moral and ethical duty to report it to all

Without these guidelines there can be no safety in security research and without this safety there can be no identification of the security system flaws and this means no protection for the end user, more simply, no security for you and I.