Category Archives: bug bounty

Flaw in New Facebook Design Allowed Removal of Profile Photos

A security vulnerability in the Facebook design (FB5) could have allowed attackers to remove any photo from profiles of the users.

The security expert Philippe Harewood is one of the security researchers that received early access by Facebook to the new FB5 design and discovered an important design flaw.

Harewood explained that the issue affects the GraphQL that is a feature implemented in the new design to remove profile pictures from Facebook fan pages. The design vulnerability could be abused by attackers to delete photos from the profiles of the users.

“The profile_picture_remove mutator is the name of the GraphQL call for this specific mutation. Normally, the mutation accepts a page identifier in the profile_id field for a Facebook page. Changing the identifier for any user profile allowed a malicious user to dissociate the user’s profile picture.” reads a blog post published by Harewood.

The researcher also published a proof-of-concept (PoC) code that allowed him to remove the profile photo from any targeted user’s account.

Harewood pointed out that the original photo removed exploiting the flaw was still available, this means that a user is able to set the profile picture back to the original in an easy way.

Facebook acknowledged the vulnerability and awarded the researcher a $2,500 as part of its bug bounty program.

“We recently ran a similar program where we granted a select group of researchers early access to FB5, the new design for Facebook we announced at our F8 conference. One of these researchers, Philippe Harewood, identified a bug in the new interface that could have allowed someone to remove another person’s profile photo. If this bug was exploited, a person’s profile photo would appear blank.” reads a post published by Facebook. “However, the photo would still be saved in the person’s account and available to upload. We thank Philippe for sharing this bug so we could fix it before FB5 rolls out worldwide. You can read more about his finding here.”

Facebook also announced that it is expanding its Data Abuse Bounty program to include Instagram. The social network giant will launch an invitation-only bug bounty program for the Checkout feature implemented in Instagram.

Checkout on Instagram allows people to purchase products directly on Instagram without leaving the app. To continue to ensure this feature’s security as we expand globally, we’ve invited a select group of security researchers to stress test it.” concludes Facebook.

“We are exploring other opportunities to tap into the expertise of researchers who consistently submit high-quality research to our bug bounty program and invite them to test new features prior to launch.”

Pierluigi Paganini

(SecurityAffairs – Facebook, bug bounty)

The post Flaw in New Facebook Design Allowed Removal of Profile Photos appeared first on Security Affairs.

Apple announces major changes to its bug bounty program, including higher rewards

At the Blackhat cybersecurity conference, Apple has announced a few major changes to its bug bounty program that will be open to any researcher.

The most striking change is related to the payout for the rewards, the
maximum reward passed from $200,000 to $1 million. This is the biggest payout for a bug bounty program operated by a tech company.

Apple will pay up to $1 million reward for a zero-click kernel code execution vulnerability zero user clicks,  that could be exploited by an attacker to take over a device.

On top of the maximum reward of $1 million, the tech giant announced it will also offer a supplementary bonus of 50% to those experts who report security issues in beta version software before its public release.

Another novelty is represented by the extent of the bug bounty program to all the operating systems developed by the company, including macOS, watchOS, tvOS, iPadOS, and iCloud.

Until now Apple’s bug bounty program only covered vulnerabilities in the iOS mobile operating system.

The tech giant also announced that starting from the next year will also provide pre-jailbroken iPhones to a selected number of trusted white-hat hackers under its iOS Security Research Device Program. 

“What makes these iPhones special? One source with knowledge of the Apple announcement said they would essentially be “dev devices.” Think of them as iPhones that allow the user to do a lot more than they could on a traditionally locked-down iPhone. For instance, it should be possible to probe pieces of the Apple operating system that aren’t easily accessible on a commercial iPhone.” wrote Thomas Brewster on Forbes. “In particular, the special devices could allow hackers to stop the processor and inspect memory for vulnerabilities. This would allow them to see what happens at the code level when they attempt an attack on iOS code.”

Apple’s decision to extend the bug bounty program and increase the rewards is very important. Let’s consider that since now the best way to earn money for a bug hunter was to sell the exploits to zero-day broker firms like Zerodium. These companies historically offered greater rewards for working zero-day exploits for popular software like iOS and the Tor Browser.

Pierluigi Paganini

(SecurityAffairs – bug bounty, Apple)

The post Apple announces major changes to its bug bounty program, including higher rewards appeared first on Security Affairs.

Apple expands bug bounty program, opens it to all researchers, raises rewards

Three years ago at the Black Hat conference, Apple announced its first bug bounty program, which was invite-only and limited to iOS. At this year’s edition of the con, Ivan Krstić, Apple’s head of security engineering and architecture, announced changes to it. Wider scope, higher bug bounties Starting this fall, the program will be open to all researchers. Apple Bug Bounty. pic.twitter.com/jyD9UwU9pI — mikeb (@mikebdotorg) August 8, 2019 The bug bounty program has been widened … More

The post Apple expands bug bounty program, opens it to all researchers, raises rewards appeared first on Help Net Security.

Apple Increases Maximum Bug Bounty Program Payout to $1M

Apple announced that it will be expanding the scope of its bug bounty program and increasing its maximum possible reward payout to $1 million. Ivan Krstić, Apple’s head of security engineering, made the announcement during a presentation on iOS and macOS security at Black Hat USA 2019. He revealed that Apple’s bug bounty program will […]… Read More

The post Apple Increases Maximum Bug Bounty Program Payout to $1M appeared first on The State of Security.

AT&T Announces Launch of Public Bug Bounty Program

American multinational conglomerate holding company AT&T has announced the launch of its public bug bounty program on HackerOne. Revealed on 6 August, the new program will award security researchers who submit reports on eligible vulnerabilities that affect AT&T’s websites, mobile apps, devices and exposed APIs. In-scope flaws include weaknesses that affect the confidentiality or integrity […]… Read More

The post AT&T Announces Launch of Public Bug Bounty Program appeared first on The State of Security.

Microsoft sets up isolated environment for bug hunters to test attacks against Azure

Microsoft has some very good news for bug hunters: not only has the company doubled the top bounty reward for vulnerabilities discovered in its Azure cloud computing service, but has also created an isolated testing environment that will allow researchers to try to exploit them. The Azure Security Lab “The Azure Security Lab is a set of dedicated cloud hosts for security researchers to test attacks against IaaS scenarios, and which is isolated from Azure … More

The post Microsoft sets up isolated environment for bug hunters to test attacks against Azure appeared first on Help Net Security.

Google increases bounties for Chrome, Google Play bugs

Bug hunters searching for security flaws in Google’s offerings are now vying for higher bounties. Microsoft has launched a new bug bounty program. Google’s changes Since 2010, when Google started the Chrome Vulnerability Reward Program to reward security researchers who invest their time and effort to discover bugs in Chrome and Chrome OS, the company has raised the offered bounty amounts a number of times. Nine years ago, the rewards ranged from $500 to $1337 … More

The post Google increases bounties for Chrome, Google Play bugs appeared first on Help Net Security.