Facebook expands bug bounty program to cover scraping attacks

The Meta (formerly Facebook) security team has added scraping attacks to the list of incidents covered by the company's bug bounty program.

Starting today, Facebook said it would pay security researchers who find loopholes in its platform's anti-scraping protections that allow a threat actor to collect user data, even if that data is public and listed in users' profiles already.

In addition, the company said it would also reward security researchers who find Facebook data on the internet that appears to have been collected following a scraping attack.

"The reported dataset must be unique and not previously known or reported to Meta," said Dan Gurfinkel, Security Engineering Manager at Facebook.

"If we confirm that user PII was scraped and is now available online on a non-Meta site, we will work to take appropriate measures, which may include working with the relevant entity to remove the dataset or seeking legal means to help ensure the issue is addressed," Gurfinkel added.

Facebook said the data must also be larger than 100,000 user records and can include details such as emails, phone numbers, physical addresses, religious or political affiliations, or any personal or sensitive information listed in user profiles.

The company said it does not matter if the data was collected by a cybercriminal or a Facebook app developer, as it wants to crack down on the illegal scraping of its platform.

No money for scraping Facebook yourself

To avoid situations where bug bounty hunters will scrape Facebook themselves and then leak the data online in order to earn a reward, Facebook said that any reports for the identification of scraped Facebook databases would not be eligible for monetary rewards.

Instead, Facebook plans to make donations of $500 and more to the charity of a researcher's choosing.

On the other hand, bug hunters can earn money but only by identifying loopholes in Facebook's anti-scraping defenses. The rewards start at $500 and can go up, depending on the bug's complexity and impact, Gurfinkel said.

Aftermath of recent Facebook scraping incidents

The changes to Facebook's bug bounty program today come after the company has been at the center of several data scraping incidents in previous years.

For example, in April, the phone numbers of 533 million Facebook users were shared on a hacking forum, data that the leaker said they collected after scraping Facebook.

In October 2021, Facebook also sued a Ukrainian man who scraped the data of more than 178 million Facebook users between January 2018 to September 2019, data that he later leaked online.

At the time, Facebook linked this incident to the abuse of its contacts import feature in its Messenger mobile app. Academic research published in May 2021 revealed that Facebook wasn't the only social network vulnerable to scraping attacks via contacts importing features and that other instant messaging apps were also vulnerable, such as Signal and Telegram.

It's exactly these kinds of loopholes that the company is now trying to detect before they get abused.