A security researcher who unearthed a major Instagram hole has got into trouble with Facebook that accused him of unethical behavior. Wesley Wineberg, a well-known bug hunter, was checking the vulnerability of an exposed Amazon server when he found a hole that could allow hackers to run code remotely, and submitted a ticket to the bug bounty team, Engadget.com reported. Also Read - WhatsApp violates Indian users' rights by denying dispute resolution claims CentreAlso Read - Facebook to pay French news publishers for using its content
After confirming the bug, he decided to dig a bit deeper, and then things took an ugly turn. He managed to crack some weak employee passwords, and submitted another report. Using that info, he obtained a key that allowed him to access server files. To demonstrate the extent of the vulnerability, he downloaded several “buckets” of non-user data from Instagram’s Amazon servers. The data, he discovered, gave him access to source code and secret authentication codes. Also Read - Facebook’s new name could be Meta or Horizon, or will it be called FB?
“To say that I had gained access to basically all of Instagram’s secret key material would probably be a fair statement,” he wrote in a blog post.
Having paid Wineberg $2,500 for discovering the earlier bug, Facebook was, this time around, far from grateful. It declined to pay him for the later bug submissions, saying he had violated the terms of its bug bounty program.
In a Facebook post, CSO Alex Stamos wrote: “Intentional ex-filtration of data is not authorized by our bug bounty program, is not useful in understanding and addressing the core issue, and was not ethical behavior by Wes.”
Stamos was also reported as telling Synack’s CEO — Wineberg’s employer — that “we could not allow Wes to set a precedent that anybody can ex-filtrate unnecessary amounts of data and call it a part of legitimate bug research”.