Regístrese ahora para una mejor cotización personalizada!

Meta targets user information, database scraping in bug bounty expansion

Dic, 15, 2021 Hi-network.com

Meta has announced an expansion to its bug bounty platform to include vulnerabilities that can be abused for data scraping. 

Security

  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

On Wednesday, the company -recently rebranded from Facebook -said that the two new areas of research revolve around scraping bugs and scraped databases containing user information. 

Dan Gurfinkel, Security Engineering Manager, said that the inclusion of valid scraping bugs and exposed data sets in a bug bounty program are, to the firm's knowledge, an "industry first." 

Meta/Facebook has been involved in numerous incidents around user data scraping. The most well-known is the Cambridge Analytica scandal, in which the data of up to 87 million users was scraped and shared without their consent. 

More recently, information belonging to approximately 553 million Facebook users was dumped online. Meta said the mass data collection took place in 2019. 

"We know that automated activity designed to scrape people's public and private data targets every website or service," Gurfinkel says. "We also know that it is a highly adversarial space where scrapers -- be it malicious apps, websites or scripts -- constantly adapt their tactics to evade detection in response to the defenses we build and improve."

To assist the company in fixing data-scraping issues across its apps and services rapidly, Meta is looking for reports on vulnerabilities that allow scraping limit mechanisms to be bypassed and those that permit scraping "at a greater scale than the product intended." In particular, Meta is urging researchers to look for logic bypass issues, although rate limiting errors are in-scope, too. 

Scraped databases will include reports of unprotected and open public databases, discovered online, which contain at least 100,000 records of unique users, as well as sensitive information such as email addresses and phone numbers. 

Financial rewards starting at$500 are on offer for scraping bugs and scraped database reports will be matched with charity donations. Feedback will be sought from the firm's "top" bug bounty hunters before expansion.  

Gurfinkel also outlined the company's progress with bug bounties. Since 2011, the program's launch, over 150,000 bug reports have been received and over 7,800 have been awarded a bounty payment. In total, Meta has now paid out over$14 million. 

Over the course of 2021, Meta has awarded$2.3 million to researchers for 800 vulnerability reports out of approximately 25,000. 

Earlier this month, Meta increased the scope of Facebook Protect, a service designed to enhance the security of user accounts considered to be at higher risk of compromise by threat actors. 

By the end of this year, Facebook Protect should be rolled out to over 50 countries. In the same way as Google and Microsoft, Meta offers this service to individuals including lawyers, journalists, civil rights organization members, and political figures. 

Previous and related coverage

  • Meta sued in excess of$150 billion for its role in Rohingya genocide
  • How Meta could muck up the metaverse
  • Meta expanding Facebook security program for government officials, journalists, activists

Have a tip?Get in touch securely via WhatsApp Signal at +447713 025 499, or over at Keybase: charlie0


tag-icon Etiquetas calientes: tecnología seguridad

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.