Facebook recently announced a bug bounty program with an aim to improve the security posture of its massively-popular social network platform.
This is certainly a step in the right direction, but is it enough? Or, does it fall short in terms of actually protecting Facebook users?
Of the exclusions listed on Facebook's bug bounty page, there is one theme that stands out and should cause concern for the 750 million some-odd Facebook users.
First, the exclusions:
- Security bugs in third-party applications (e.g., https://apps.facebook.com/[app_name])
- Security bugs in third-party websites that integrate with Facebook
- Security bugs in Facebook's corporate infrastructure
- Denial of Service Vulnerabilities
- Spam or Social Engineering techniques
In case you missed it, here's the issue: Facebook is focusing on its own engineering efforts related to its own platform. With this bounty, Facebook is effectively side-stepping the security of the entire Facebook ecosystem, leaving out third-party systems and applications within its corporate infrastructure and all third-party applications and websites associated with its platform.
Granted, Facebook shouldn't have to pay a bounty for third-party defects, but Facebook should encourage its application partners to develop and host their applications securely.
Making the potentially dangerous assumption that Facebook has IT security staff dedicated to securing its corporate infrastructure, let's focus on the third-party applications and websites.
This public-facing environment is where a large number of attacks can and do take place, including phishing, identity forgery, cross-site scripting, SQL injections, remote code injections, application hijacking, and session hijacking, just to name a few. Securing the underlying platform is good, but with people installing 20 million Facebook applications every day and with more than 250 million people engaging with Facebook via external websites every month, the users of the system should demand better security throughout the entire ecosystem – not just Facebook alone.
In Las Vegas, as the Black Hat 2011 conference wrapped up and the DefCon 19 conference kicked off, Facebook appealed to the abundance of security researchers with its $500 bounty.
But in a conversation I had at Black Hat with Mandeep Khera, the chief marketing officer for web application security firm Cenzic, he made it painfully clear that the social network world needs to take a good hard look at how it treats third-party elements within its ecosystems.
"It's not enough to protect the platform and to leave all of the third-party applications and websites sitting there, vulnerable to attack and open for malicious use," he told me.
With millions of third-party Facebook applications and more than 2.5 million Facebook-integrated websites to assess, it could take some time to provide any real level of assurance to social network users that the environment is safe.
Ultimately, it would be good to know which third-party sites and applications have been tested for security vulnerabilities, with some form of application code-signing and certification process which could be used to inform the users as to the assessed security posture of each application and website prior to their acceptance of its terms of service.
Until then, let's hope the social network developers take it upon themselves to hold security assessment parties of their own.
