Facebook Offers Rewards for Access Token Exposure Flaws

Facebook announced on Monday that it has expanded its bug bounty program to introduce rewards for reports describing vulnerabilities that involve the exposure of user access tokens.

Access tokens allow users to log into third-party applications and websites through Facebook. The tokens are unique for each user and each app, and users can choose what information can be accessed by the token and the app using it, as well as what actions it can take. The problem is that if a token is exposed, it can be misused to an extent that depends on the permissions set by its owner.

Facebook has updated its bug bounty program to clarify what it expects from reports describing token-related vulnerabilities.

In order to qualify for a bug bounty – Facebook is offering a minimum of $500 per vulnerability – researchers have to submit a clear proof-of-concept (PoC) demonstrating a flaw that allows access to or misuse of tokens.

One very important condition, according to the company, is that the bug needs to be discovered by passively viewing data sent to or from a device while the affected application is in use.

“You are not permitted to manipulate any request sent to the app or website from your device, or otherwise interfere with the ordinary functioning of the app or website in connection with submitting your report. For example, SQLi, XSS, open redirect, or permission-bypass vulnerabilities (such as IDOR) are strictly out of scope,” explained Dan Gurfinkel, Security Engineering Manager at Facebook.

The social media giant will inform the developer of the impacted app or website and work with them to address the issue. Apps that fail to promptly comply will be suspended from the platform until the problem has been resolved and a security review is conducted. Facebook says it will also automatically revoke tokens that may have been compromised.

Facebook has taken significant steps to improve security and privacy following the Cambridge Analytica scandal, in which the personal details of a significant number of users were harvested. The company announced in March that it had made a series of changes to its developer platform to implement tighter user privacy controls and limit how apps can access user data. It later announced rewards for users who report misuse of private information.

According to Facebook, in 2017 it paid out $880,000 in bug bounties, with a total of over $6.3 million since the launch of its program in 2011.

Related: Facebook Increases Bug Bounty Payout After Audit

Related: Facebook Flaw Exposed Page Administrators