Facebook Bug Bounty opens to reward access token exposure

Facebook Monday announced it is expanding its bug bounty program to include vulnerabilities related to access token exposure.

Tokens allow people to log into another app using Facebook and are uniquely generated for the specific person and app and the social media giant will now be offering at least $500 for vulnerabilities found in third-party apps and websites that involve improper exposure of these tokens, according to a September 17 blog post.


“If exposed, a token can potentially be misused, based on the permissions set by the user,” said Dan Gurfinkel, security engineering manager at Facebook, in the post. “We want researchers to have a clear channel to report these important issues, and we want to do our part to protect people’s information, even if the source of a bug is not in our direct control.”

Facebook said it will promptly suspend all apps that don’t comply and will also automatically revoke access tokens that could have been compromised to prevent potential misuse, and alert those we believe to be affected, as appropriate.

The announcement comes roughly six months after news broke of the Cambridge Analytic scandal which prompted Facebook director Mark Zuckerburg to pledge to make changes and reforms to the firm’s policy to better protect user data.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.