A security researcher who found vulnerabilities in an Instagram server was accused by Facebook Inc (NASDAQ: FB) of going beyond the boundaries of ethic on his work.
Security researchers are those in charge of conducting bug bounty programs, in which hackers are paid to access a certain server to find possible vulnerabilities on the site’s security system, and then report those errors to the company.
This was precisely the job of Wesley Wineberg, who was hired to access Instagram’s server to report any possible bugs. The researcher had formerly participated in bug bounty programs for other companies.
Wineberg started by discovering that Instagram’s server was running a web-accessible administrative console that had bugs which would potentially allow hackers to mess with the site. That first diagnosis earned the researcher a $2,500 reward from Facebook. According to Facebook’s chief security officer Alex Stamos, everything the researcher had done up to that point was within the boundaries and regulations of the company’s bug bounty program.
Some of these rules are avoiding privacy violations, destructing data and interrupting or hindering the server while exploring it.
The next step for Wineberg — according to what he wrote in a post — was searching for more security holes after taking advantage of the server’s initial vulnerability. He then discovered an access to the server’s database and was able to download usernames and use an open source password-cracking program to enter accounts. The researcher concluded that some of the passwords were extremely weak, with generic words such as “password”, “changeme” and “instagram,” and some with the same name of the user.
Wineberg wrote that there appeared to be plenty of potentially sensitive content, however, a majority of it was only versioned tar archives of tools and web applications. He reported that he queued up several buckets to download and retired for the night.
The researcher claimed to have avoided downloading user data in order to follow Facebook’s bug bounty policies, although he did access other sensitive content, like Instagram source codes.
Facebook didn’t take Wineberg’s exploration lightly, arguing that he fell into unethical practices and crossed the company’s boundaries.
A Facebook spokesman said that while the company “strongly” advocated of the security researcher community and had built plenty of relationships through the bug bounty program, those relationships must include trust, which meant reporting any bugs and not taking advantage of them to access private information beyond the program’s policy.
“In this case, the researcher intentionally withheld bugs and information from our team and went far beyond the guidelines of our program to pull private, non-user data from internal systems,” he explained.
Facebook threatened to sue Wineberg, and contacted the CEO of another company where the researcher works. Stamos, on the other hand, described the measure as a last resort and said that finding a responsible mediator was the least aggressive of possible future steps to prevent the researcher from publicizing sensitive content.
Source: Fast Company