Connect with us

Hi, what are you looking for?


Data Protection

Facebook Offers Rewards for Access Token Exposure Flaws

Facebook announced on Monday that it has expanded its bug bounty program to introduce rewards for reports describing vulnerabilities that involve the exposure of user access tokens.

Facebook announced on Monday that it has expanded its bug bounty program to introduce rewards for reports describing vulnerabilities that involve the exposure of user access tokens.

Access tokens allow users to log into third-party applications and websites through Facebook. The tokens are unique for each user and each app, and users can choose what information can be accessed by the token and the app using it, as well as what actions it can take. The problem is that if a token is exposed, it can be misused to an extent that depends on the permissions set by its owner.

Facebook has updated its bug bounty program to clarify what it expects from reports describing token-related vulnerabilities.

In order to qualify for a bug bounty – Facebook is offering a minimum of $500 per vulnerability – researchers have to submit a clear proof-of-concept (PoC) demonstrating a flaw that allows access to or misuse of tokens.

One very important condition, according to the company, is that the bug needs to be discovered by passively viewing data sent to or from a device while the affected application is in use.

“You are not permitted to manipulate any request sent to the app or website from your device, or otherwise interfere with the ordinary functioning of the app or website in connection with submitting your report. For example, SQLi, XSS, open redirect, or permission-bypass vulnerabilities (such as IDOR) are strictly out of scope,” explained Dan Gurfinkel, Security Engineering Manager at Facebook.

The social media giant will inform the developer of the impacted app or website and work with them to address the issue. Apps that fail to promptly comply will be suspended from the platform until the problem has been resolved and a security review is conducted. Facebook says it will also automatically revoke tokens that may have been compromised.

Advertisement. Scroll to continue reading.

Facebook has taken significant steps to improve security and privacy following the Cambridge Analytica scandal, in which the personal details of a significant number of users were harvested. The company announced in March that it had made a series of changes to its developer platform to implement tighter user privacy controls and limit how apps can access user data. It later announced rewards for users who report misuse of private information.

According to Facebook, in 2017 it paid out $880,000 in bug bounties, with a total of over $6.3 million since the launch of its program in 2011.

Related: Facebook Increases Bug Bounty Payout After Audit

Related: Facebook Flaw Exposed Page Administrators

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.