Facebook, Researcher Spar Over Instagram Flaw Disclosure

msm1267 writes: A security researcher is in a bit of a scrum with Facebook over vulnerability disclosures that not only tested the boundaries of the social network's bug bounty program, but he said, also prompted hints of legal and criminal action, which Facebook has since denied. Wesley Wineberg, a contract employee of security company Synack, said today that he had found some weaknesses in the Instagram infrastructure that allowed him to access source code for recent versions of Instagram, SSL certificates and private keys for Instagram.com, keys used to sign authentication cookies, email server credentials, and keys for more than a half-dozen critical other functions, including iOS and Android app signing keys and iOS push notification keys. Wineberg also accessed employee accounts and passwords, some of which he cracked, and had access to Amazon buckets storing user images and other data prompting claims of user privacy violations from Facebook.

Re:Facebook's statement

Facebook isn't wrong though. There isn't a single white-hat penetration tester out there who will say its ok to access systems you aren't given permission to access, even if its in the act of discovering vulnerabilities that you intend to disclose. He found a vulnerability in their system and instead of reporting it immediately he decided to see how deep that particular rabbit hole went. He used credentials that did not belong to him to access systems he did not have permission to access, a direct violation of many countries' laws (including the US where those servers are housed). This "security researcher" did way more than discover and disclose a vulnerability, he also took advantage of that vulnerability without permission from facebook, in direct violation of most countries' laws. If I was facebook I wouldn't just not pay the guy, I would consider legal action as well. It should not be acceptable to be able to hack into someone's servers if only you report it to them later. Who knows if this individual "security researcher" or his company might have decided to keep some of those private certs and credentials around for future use. Just because this one might not have doesn't mean the next one wouldn't. This behavior is unacceptable from a supposed "security researcher", especially since he should know better.

Re: Facebook's statement

[bill_mcgonigle]

> There isn't a single white-hat penetration tester out there who will say its ok to access systems you aren't given permission to access, even if its in the act of discovering vulnerabilities that you intend to disclose.

If you're not hired by FB but are probing their systems to look for vulnerabilities as their bounty system encourages, you cannot meet the criterion you outline.

The goal apparently needs to be more clear: if FB's goal is to find as many problems as possible then stopping at the first problem and closing that door does not achieve the goal.

Unless we hear that he sold the info to a third party, it looks like there's no victim here and FB looks bad for overreacting when it got caught with its pants down (wait ... Instagram, not Snapchat).