Meta’s security team (formerly Facebook) announced that they are expanding their bug bounty reward program to include parsing attacks and unauthorized collection of user data.
From now on, the company will pay cybersecurity researchers if they discover holes in anti-scraping tools that allow attackers to collect user information, even if this data is publicly available and is simply indicated in profiles. For such bugs, you can start at $ 500.In addition, the company said it will reward those researchers who find on the Internet the data of Facebook users collected through scraping earlier.
Such dumps must contain at least 100,000 user records and details such as email addresses, phone numbers, physical addresses, information about religious or political views, and any personal and confidential information specified in user profiles. It doesn’t matter if the data was collected by a cybercriminal or an application developer, since Meta intends to fight all illegal data collection on its platform.
To avoid situations where bug hunters themselves scrap data from Facebook and then merge it into the network (to earn rewards), the company said it would not pay for such reports. Instead, Facebook plans to make donations to charity of the researcher’s choice of $ 500 or more.
I must say that the problem with data scraping has long been very acute for Facebook. For example, in the spring of this year, a hacker put up for sale the data of 533 million Facebook users, collected in this way. At that time, Facebook representatives said that they disabled the Contact Importer feature, which was abused by the scraper, back in September 2019, when they discovered that attackers were using it.
In October 2021, Facebook filed a lawsuit against the Ukrainian who, from January 2018 to September 2019, collected information about 178 million people, and then leaked this information to the network.
Let me remind you that we also reported that Facebook expanded bug bounty program for third-party services.