Facebook threatens security researcher over 'keys to the kingdom' exploit

Look but don't touch: Facebook objected to the level of scrutiny it was placed under
Look but don't touch: Facebook objected to the level of scrutiny it was placed under

A security researcher has been threatened with legal action over his pursuit of a bug bounty from Facebook.

Wesley Wineberg, the security researcher in question, recently claimed to have discovered a ‘million dollar bug' in Instagram, the immensely popular photo app acquired by Facebook in 2012 for US$1 billion (£670 million). 

Wineberg said the bug would have given him access to  SSL certificates, source code, and ultimately, the back end of the entire website. “To say that I had gained access to basically all of Instagram's secret key material would probably be a fair statement”,  wrote Wineberg in his blogpost. 

With that material he could effectively gain access to any user account and impersonate any user or staff member – essentiall the Keys to the Kingdom, as Wineberg described it. This information was put into several separate disclosures to Facebook, Instagram's developer.

Wineberg has over seven years' experience in information security is an old hand at bug-bounty reporting, claiming to have disclosed hundreds of bugs “with almost no drama,” until now.

For the first disclosure in late October, Facebook offered to pay Wineberg $2500. However, the second and third disclosures the social media giant took issue with, saying that the researcher had overstepped his bounds by not merely disclosing the vulnerability but expanding on that by delving further into the system, exfiltrating data and finding yet more vulnerabilities while violating user privacy.

Alex Stamos, CSO of Facebook, responded in a blog post, saying that while Wesley reported the vulnerability ethically, he also exfiltrated technical and system data using the flaw he had found and reported. Stamos expanded on social media saying that "the downloading of files from S3 was an unnecessary exfiltration and a violation of a warning we explicitly gave him. I really didn't want him setting a precedent that you could download an arbitrary amount of data and call it legit." 

Stamos also claims that Wineberg was not happy with the amount offered to him, $2500, and responded to the company that he had downloaded the data using the flaws he had found. A threat too far perhaps, for Stamos. 

Wineberg has cited a now-infamous Bloomberg article on Facebook's White Hat bug bounty programme in which Facebook said, “If there's a million-dollar bug we will pay it out.” The security researcher happens to think that he found that million dollar bug.

Stamos then contacted Synack, Wineberg's employer and according to Wineberg, made the point to Synack's CEO, Jay Kaplan, that he did not want to have to get Facebook's legal team involved and wondered out loud as to whether actual law enforcement should actually get involved.  

Wineberg has said that he has contacted counsel and said that he is in the clear, legally speaking. The bug has now been fixed, according to Facebook, bringing this little saga to a neat little close.