Facebook to pay hackers up to $300,000 to uncover remote code execution bugs

Meta has updated its bug bounty program to offer up to $300,000 to security researchers who report vulnerabilities allowing attackers to remotely execute code on its mobile apps, the company said on Thursday.

In a newsroom post accompanying reports about the threats facing Facebook and Instagram users from spyware and covert information operations, Meta said it had so far this year paid out $2 million in rewards to researchers from more than 45 countries. Out of about 10,000 reports made to the company, Meta offered rewards to more than 750 submissions.

Researchers in India, Nepal and Tunisia received the most bounties this year, said the company, although it was not clear whether this was in terms of volume or the value of the payout. The company has paid more than $16 million for more than 8,500 reports since 2011.

By comparison, Google said earlier this year that it awarded $8.7 million to security researchers in 2021 through its vulnerability rewards program. Microsoft reported in July 2021 that it paid bug hunters $13.6 million for reports between July 1, 2020, and June 30, 2021.

Alongside updating its payout guidelines for mobile remote code execution (RCE) bugs, Meta has introduced new guidelines to cap payments for account takeover (ATO) and two-factor authentication (2FA) bypass vulnerabilities.

ATO reports can net researchers up to $130,000 for a zero-click attack, but that drops to a maximum of $50,000 and then lower depending on how much user interaction is needed to exploit the vulnerability. The maximum payout for 2FA bypass is $20,000.

These maximums set the bar before the company makes deductions "based on required user interaction, prerequisites, and any other mitigating factors."

However Meta also says “each report is evaluated on a case-by-case basis and could, in some cases, be awarded higher than the cap depending on the internally assessed impact.”

The company said these bounties make its program "one of the highest paying in the industry." In contrast, Apple offers researchers up to $2 million for reporting bugs that allow attackers to bypass its Lockdown Mode protections.

Account Takeover and Two-Factor Authentication Bypass Chain: We received a report from Yaala Abdellah, who identified a bug in Facebook’s phone number-based account recovery flow that could have allowed an attacker to reset passwords and take over an account if it wasn’t protected by 2FA. We’ve fixed this bug and found no evidence of abuse. We rewarded the researcher our highest bounty at $163,000, which reflects its maximum potential impact and program bonuses. While we were investigating, the researcher was able to build on an earlier find to chain it to a separate 2FA bypass bug. We’ve fixed this issue and rewarded the researcher an additional bounty of $24,700, including program bonuses.
2FA Bypass: We also fixed a bug reported by Gtm Mänôz of Nepal, which could have allowed an attacker to bypass SMS-based 2FA by exploiting a rate-limiting issue to brute force the verification pin required to confirm someone’s phone number. We awarded a $27,200 bounty for this report.

–Meta statement

Account security warnings

Account security across Meta’s apps has also received a blog post which notes the challenges facing online companies when adversaries have access to a legitimate user’s contact point — whether an email or a phone number — that they abuse to reset the victim’s password and gain access to their other accounts.

The company warned that one in four compromised Facebook accounts are being taken over in this fashion, although it did not provide figures on the volume of the issue.

With an ever-growing amount of password and email dumps available online, the threat posed by contact point compromises is affecting every part of the online industry, including online banking customers.

While most banks should attempt to reach out to customers if they detect suspicious activity, there are numerous examples of retail banks refusing to cover the losses after a user’s account was compromised.

Meta said the approach was "tricky" because "if we tighten account security controls too much, innocent people will have a harder time using and recovering their accounts. If we are too loose with controls, bad actors will have an easier time abusing our systems to compromise people."

The company, like the industry in general, uses a variety of tools and techniques to identify suspicious activity and authenticate legitimate users, from requesting a copy of their ID documents through to sending a confirmation code to another device that had previously logged in to the account.

Alongside the new bug bounty guidelines, the company introduced a small test of a live chat support feature on Facebook for users who are having account access issues. It said that during October “we offered our live chat support option to over a million people in nine countries and we’re now planning to expand this test to more than 30 countries around the world,” although it is not clear how effectively this program will scale to cover 3.6 billion monthly users.