Mutiny on the bug bounty
A good deed went punished for Wesley Wineberg.
Vulnerabilities that could allow hackers to run code remotely were detected by a blogger, but have put him at odds with Facebook and Instagram and underscores the uneasy balance between exposing flaws for a financial reward, and then being told to not go public with those findings.
Wesley Wineberg said in a recent post on his personal blog that he's been censured due to his participation in the Facebook bug bounty programme, for which he initially was told he qualified to receive $2,500 (£1,733). Wineberg – who previously earned $24,000 (£16,633) from Microsoft for mitigating an Outlook worm – chronicles the saga over multiple pages since October.
Once he found a hole in an exposed Amazon server, he was able to crack some weak employee passwords which enabled him to gain a key that allowed him to access server files.
In his take on the exploit, he then illustrated the depth of the flaw by downloading “buckets” of non-user data from Instagram's Amazon servers. This granted him access to the foundations of the structure: source code and secret authentication codes.
“To say that I had gained access to basically all of Instagram's secret key material would probably be a fair statement,” he wrote in a blog post.
The controversy stems from whether Wineberg's accessing Instagram employee and user data was legitimate research.
On his own blog, Facebook CSO Alex Stamos on 17 Dec accused Wineberg of non-ethical behaviour by “exfiltrat[ing] unnecessary amounts of data and call[ing] it a part of legitimate bug research. Intentional exfiltration of data is not authorized by our bug bounty programme, is not useful in understanding and addressing the core issue.”
Wineberg responded on 18 Dec in his blog, Exfiltrated: “I continue to hope that security research will be given appropriate recognition and legal protections. I believe that it's the infosec community's job to lead by example. I don't think that threatening security researchers should ever be acceptable.”
Stamos, formerly Yahoo's CISO and well regarded in the security community, said he was surprised that Wineberg planned to publicise the incident and contacted his employer, Synack, where he works as a security engineer on a contract-only basis.
While some argue that Wineberg crossed the line by cracking passcodes, others contend he was justified in pointing out the potential danger and Stamos' response was uncalled for.