Late last week the social networking giant Facebook patched a particularly voyeuristic security vulnerability in the platform that could have given malefactors the ability to remotely turn on the webcams of other users and post videos to their profiles, according to a Bloomberg News report.
The vulnerability was discovered in July by the Indian security firm XY Sec. The firm’s founders, Aditya Gupta and Subho Halder told Bloomberg that Facebook must have considered the bugs serious because they paid XY Sec five times the typical $500 bug bounty price.
On his personal website, Gupta said the issue arose from a problem in Facebook’s video upload feature. Evidently Facebook did not have, in Gupta’s words, “proper security checks enforced.” If exploited, it would have given an attacker the ability to secretly record video using another user’s webcam and post that content to the victim’s wall without their knowledge.
A Facebook spokesperson, Fred Wolens, told Bloomberg it appeared as if the vulnerability had not been exploited and that no users were impacted by it.
“This vulnerability, like many others we provide a bounty for, was only theoretical, and we have seen no evidence that it has been exploited in the wild,” Wolens told Bloomber via e-mail. “Essentially, several things would need to go wrong — a user would need to be tricked into visiting a malicious page and clicking to activate their camera, and then after some time period, tricked into clicking again to stop/publish the video.”
It’s not clear why the network’s security team took five months to fix the troubling bug.
Facebook has had its bug bounty for more than a year, and while it hasn’t issued many splashy, high-payout rewards like Google, it did pay out $40,000 in rewards in its first month and has continued to pay researchers since. The programs have their critics and their advocates. Stephen Dubner of Freakonimics-fame compared the practice to rat farming. Google insiders have called their program a success and claimed that it makes users safer.
The notorious Apple hacker, Charlie Miller echoed the familiar sentiment that such programs sometimes seem to be devious schemes designed to underpay bug-hunters for valuable research.
“I only wish bug bounties gave more money,” Miller told Threatpost earlier this year. “Google is the only company which seems to be going in the right direction in that regard. Bug bounties are important because, if nothing else, it shows that the company takes bugs seriously. As for how [much] payout is ‘enough’, it is a complicated formula.”