Facebook has been accused of threatening a security researcher who uncovered a vulnerability that allowed him to access Instagram servers that hold the photos of its 400 million users. But the world's biggest social network is denying the accusation, saying the researcher went too far in an attempt to highlight a problem and claim a reward.
Like many other major companies these days, Facebook runs a "bug bounty" program, paying security researchers who submit vulnerabilities they discover in the company’s websites or software. The programs are designed to promote responsible disclosure of vulnerabilities and help keep bugs from falling into the hands of hackers and legal malware vendors like Hacking Team.
Wes Wineberg is one such researcher, and based on a tip he received online in October, he began investigating an openly accessible portal for Instagram employees (sensu.instagram.com -- which is no longer accessible) and quickly found that by exploiting a remote code-execution bug he was able to get the server to return login information for Instagram and Facebook employees. While the passwords were encrypted, some were poorly chosen -- "instagram", "password", "changeme" -- and Wineberg was easily able to gain access.
On Oct. 21 Wineberg reported the vulnerability on the photo-sharing app to Facebook, its parent company, which acknowledged the matter and a month later handed Wineberg a check for $2,500 even though the social network said he wasn't the first person to highlight the problem. While he was waiting for Facebook to respond to his initial submission, Wineberg decided to hunt around for other vulnerabilities -- and that's where the problems started.
'Exfiltration of Data'
What Wineberg did next, according to Facebook’s chief security officer, Alex Stamos, was “intentional exfiltration of data,” which is not allowed under the terms of the company’s bug bounty program. Wineberg says his actions were “completely lawful and within the requirements specified by Facebook’s Whitehat program.”
As he explains in a detailed blog post, Wineberg discovered digital keys in server configuration files that could be used to access Amazon Web Services -- the cloud computing service Instagram uses to host part of Instagram's backend. Using the keys, Wineberg was able to look at the 82 different "buckets" or digital storage units used to house Instagram's data. While the first keys he found didn't allow access, he subsequently found keys that did, and having accessed them, he then downloaded data contained within the system.
Instagram's Secret Key Material
Wineberg says he downloaded "several buckets" but avoided downloading anything containing Instagram users' images, to comply with Facebook's bug bounty terms and conditions. However, he did find a lot of valuable data among the information he downloaded. "To say that I had gained access to basically all of Instagram’s secret key material would probably be a fair statement," Wineberg says. "With the keys I obtained, I could now easily impersonate Instagram, or impersonate any valid user or staff member. While out of scope, I would have easily been able to gain full access to any user’s account, private pictures and data. It is unclear how easy it would be to use the information I gained to then compromise the underlying servers, but it definitely opened up a lot of opportunities."
Wineberg reported the vulnerability to Facebook, but over a month later the company rejected the submission, and in an email to the researcher a member of Facebook's security team said the reason for rejecting the submission was that it "violates expectations of preserving user privacy" without specifying what action or actions they were referring to.
Having made a final submission to Facebook's bug bounty program on Dec. 1, Wineberg received a phone call from his boss Jay Kaplan, the CEO of Synack, a company that finds vulnerabilities in software. Kaplan had been contacted by Stamos, and Wineberg claims the Facebook CSO "stated that he did not want to have to get Facebook's legal team involved, but that he wasn't sure if this was something he needed to go to law enforcement over."
Stamos denies this version of events: "I did not threaten legal action against Synack or Wes nor did I ask for Wes to be fired. I did say that Wes' behavior reflected poorly on him and on Synack." According to Wineberg's version of events, Stamos additionally wanted Kaplan to confirm that all data downloaded from Instagram's servers was deleted and that all findings and interactions were to be kept private.
In Stamos' version of events, he says Wineberg was not happy with the amount of money he was paid for the initial vulnerability, but this is a claim Wineberg denies, saying "compensation has never been the issue here for me." Additionally Stamos says Facebook assumes Wineberg was operating on behalf of Synack, but again the security researcher denies this, claiming all the investigations were done on his own time and that he is not even a full-time employee of Synack.
Wineberg's main assertion is that he did not violate Facebook bug bounty terms and conditions as "there is no rule that states what to do when a vulnerability is discovered." Wineberg points to the terms and conditions of companies like Tumblr and Microsoft as more precisely defining what researchers can and can't do when searching for vulnerabilities.
Opinions Split in Security Community
The incident has sparked a heated debate within the security community, with opinions split over who was right and who was wrong. On Reddit's network security thread, some have pointed out that Stamos has shown himself previously to be a staunch supporter of security researchers, particularly when an Airbus researcher had to pull a talk about issues with a suspect Bluecoat device because of threats from the company. "I will never spend budget on a security vendor who threatens researchers," Stamos said at the time.
Over on Hacker News, a security researcher and engineer asserted that by downloading data, Wineberg had crossed a line: "The researcher used the vulnerability to dump data. This is well known to be a huge no-no in the security industry. When you dump data, you become a flight risk. It means that you have sensitive information in your possession and they have no idea what you'll do with it."
Others are speculating on what this vulnerability, if sold on the dark web or to companies like Hacking Team or Vupen, would be worth. One Redditor speculates that if the vulnerability was exploited quickly and correctly, you could be looking at the "single largest infiltration of a social media network in history" and therefore the exploit could be worth over $1 million.