The news: Wanna make a cool $33,500?
Brazilian computer engineer Reginaldo Silva found a bug related to code used for OpenID, an authentication system which allows users to use their login credentials across more than one online service. It was, as far as security holes go, pretty bad. The vulnerability could be exploited from a remote system and allowed a hacker to access almost any file he wished and open connections on a Facebook server.
After hearing Facebook's security chief Ryan McGeehan claim "If there’s a million-dollar bug, we will pay it out," Silva decided to refocus some of his attention on finding the social media network's million-dollar glitch. He found the bug in September and reported it to the company on Nov. 19. Alerting on-call employees, Facebook had the glitch fixed in just 3-and-a-half hours.
The reward: For notifying them, Facebook awarded Silva their highest bounty yet — $33,500. If it had fallen into the wrong hands, the result could have been compromised user data for an untold number of users and massive damage to its reputation. Facebook has to be glad that this one was fixed up.
Silva isn't complaining about the amount of the bounty, but he wishes he'd made more.
”I won’t disclose the amount, but if you have any comments about how much you think this should be worth, please share them,” Silva wrote. “Unfortunately, I didn’t get even close to the $1 million payout cited above.”
CQR Consulting CTO Phil Kernick praised Silva's find, but told ITNEws: "I think that the amount that they paid him is far below the economic value of the bug – and this is a fundamental problem with all bug bounty programs. He was honest, but could have made much more selling it."
Is Facebook secure? Largely. But the site is massive and still has unresolved bugs and undiscovered glitches that could result in losses to user's privacy or unwanted intrusions on their accounts.
In the wrong hands, a bug like that could be worth a big stinkin' pile of cash, even if users' private information was safe.
The far bigger threat to users, though, remains making sure they're taking care of their own password security. Most Facebook breakins are due to users losing their login information to phishing, social engineering, or malware like keylogging. Those security problems can result in violated privacy for users — but to date, there hasn't been an actual black hat intrusion to Facebook's backend that we know about.
Facebook (and competitor Google) are working on improving their security with radical techniques like physical account keys mounted on a physical token the size of a USB drive. Expect hackers to ramp up their game accordingly.