Meta, formerly Facebook, is adding scraping attacks to its bug bounty program, according to a statement the company made. Scraping is an issue that Facebook has been struggling with in the past. Because of this, two areas of research for its Bug Bounty and Data Bounty programs are now made available: scraping bugs and scraped databases.
Meta Bug Bouty Program Adds Scraping Attacks
So far in 2021, Facebook, or Meta’s bug bounty program has awarded more than $2.3 million to researchers for 25,000 reports in total. “As scraping continues to be an internet-wide challenge, we’re excited to open up these new areas of research for our bug bounty community,” the company said.
No website or online service is safe from scraping, and this tactic is constantly being improved to evade detection in response to built-in security mechanisms. “As part of our larger security strategy to make scraping harder and more costly for the attackers, today we are beginning to reward valid reports of scraping bugs in our platform,” Meta added. This appears to be the first scraping bug bounty initiative.
The program will also cover scraped databases that researchers discover online. Reports for the discovery of unprotected or openly public databases that contain at least 100,000 unique Facebook user records with PII or sensitive data will be awarded. It should also be noted that the reported databases should be unique and not previously reported to Meta.
“If we confirm that user PII was scraped and is now available online on a non-Meta site, we will work to take appropriate measures, which may include working with the relevant entity to remove the dataset or seeking legal means to help ensure the issue is addressed,” Meta explained.
In case the dataset is a result of a misconfigured third-party application, the company will work with the developer to address the issue. Alternatively, if the dataset is exposed on a hosting service, the company will work with the vendor to take the dataset offline.
Awards will be issues based on the maximum impact, with a minimum reward of $500 per each scraping bug or database.
Facebook Data Breaches
In April this year, security researchers reported a massive data breach exposing the phone numbers and personal details of millions of Facebook users. The exposed data consisted of personal details of more than 533 million Facebook users from 106 countries, including 32 million records of US users, 11 million records of UK users, and 6 million records of Indian users.
The data breach was possible due to a vulnerability addressed by Facebook in 2019. Despite being two-years old, the leaked Facebook details could be exploited by hackers in various scenarios. Affected users could be impersonated and scammed.
It is also noteworthy that in October 2020, Facebook launched a unique loyalty program called Hacker Plus for its bug bounty platform. Back when it was released, the loyalty program was the first of its kind for a technology giant. Similar loyalty programs have been launched by airlines and hotels. Hacker Plus’s purpose is to provide additional bonuses and perks to bug bounty hunters and security researchers based on their reports.