Facebook bug bonus program will now accept reports on third-party apps

Facebook announced today that it is expanding its bug bonus program as the company is increasingly criticized for the vulnerabilities of third-party applications that access Facebook user data.

The social media giant will now distribute rewards to developers who report vulnerabilities in user access tokens – the feature that allows users to connect to third-party apps by logging into Facebook and determining the information to which application can access. If this access token falls into the hands of hackers, it could then access data that the user does not intend to share with anyone outside of this application.

In a blog post announcing the change, Facebook Dan Gurfinkel will only consider the reports "if the bug is discovered by passively viewing the data sent to or from your device when using the application or the website vulnerable". for example, to circumvent the authentication requirements.

In their report, researchers must submit a proof of concept to show how this vulnerability could allow hackers to access or abuse user data. Facebook will reward a minimum of $ 500 for reports, and will only consider vulnerabilities with applications with at least 50,000 active users.

"If it's exposed, a token can potentially be misused, depending on permissions set by the user," wrote Gurfinkel. "We want researchers to have a clear channel to report these important issues, and we want to do our part to protect people's information, even if the source of a bug is not directly under our control. "

Large technology companies generally have not considered third-party applications as part of their bug report. But Facebook is still struggling with the game of users who have allowed third-party applications for years to access large amounts of user data without any surveillance, some violating the rules of Facebook by giving access to this data. Cambridge Analytica.

In recent months, some apps such as Bumble and Coffee Meets Bagel have also offered users additional login options outside of Facebook authentication. It is therefore essential that Facebook take steps to determine how it will monitor third-party applications to restore user confidence. .

The company also recently completed a revised application review process to eliminate third-party applications that have access to more user data than they needed.