The recent years have seen emergence of a new creed of bounty hunters. Set to work by corporations and multinationals, these hunters are tasked with finding out vulnerabilities and loopholes in the companies products and systems.
However, as these programmers delve deeper, situations sometimes take unexpected turns where they find themselves at loggerheads with their beneficiary.
Something of the sort happened recently when Wesley Wineberg, a contract employee of security company Synack, who was testing Facebook owned Instagram for weaknesses, found that he had — in the course of his inquiry, stretched his neck a bit too far and received a stern warning from facebook, a warning that also hinted at the possibility of legal and criminal actions.
Wineberg set out upon the trail on the basis of information received from a acting fellow researcher who had discovered an Internet-accessible Instagram webserver that was running on an Amazon EC2 instance. The said researcher had already reported his discovery to Facebook and washed his hands of the matter. However, as Wineberg discovered, the trail led to a supposedly secret Ruby token which could potentially be used to spoof session cookies.
However, Wineberg was able to use that for code execution. From thereon, he was able to somehow dump the contents of a local Postgres database, which led to his digging out the user details of about 60 employees and cracking the encrypted password of as many as12 accounts.
The issue was brought to Facebook’s notice by Wineberg on the 21st of October and a day later he also reported in the facts about how he was able to access the employee accounts. Facebook promptly took care of the issue by putting the Sensu site behind a firewall and eventually paying Wineberg a $2,500 bounty.
That should have been the end of the matter, with Wineberg enjoying his hard-earned bounty money and Facebook grateful for the discovery of a major flaw into their systems.
However, Wineberg apparently went on to unearth other flaws and while looking at a Sensu configuration file, ended up discovering an AWS key pair which listed as many as 82 different Amazon S3 storage containers. With some effort, Wineberg was then able to read and download several buckets, with their content ranging from SSL keys, private keys for Instagram.com, keys used to sign authentication cookies, email server credentials, iOS and Android app signing keys, iOS push notification keys etc.
As per Wineberg,
To say that I had gained access to basically all of Instagram’s secret key material would probably be a fair statement. With the keys I obtained, I could now easily impersonate Instagram, or impersonate any valid user or staff member. While out of scope, I would have easily been able to gain full access to any user’s account, private pictures and data. It is unclear how easy it would be to use the information I gained tothen compromise the underlying servers, but it definitely opened up a lot of opportunities.
Ofcourse, he did nothing of the sort and all the details were sent to Facebook. However, the manner in which the information was discovered irked the company which said that Wineberg’s research had gone far beyond the scope of the bounty program.
As per Facebook CSO, Alex Stamos,
Wes was one of several people toreport to us that Instagram was exposing a Ruby-based admin panel with known flaws.As is standard, we responded to Wes thanking him for his submission and telling him we would investigate. Despite this not being the first report of this specific bug, we informed Wes that we would pay him $2500. Up to this point, everything Wes had done was appropriate, ethical, and in the scope of our program.
However, once Wineberg started delving into the AWS and downloaded the Storage containers, things took a different turn with Facobook saying that the programmer was unhappy with the cash paid out to him.
Wes was not happy with the amount we offered him, and responded with a message explaining that he had downloaded data from S3 using the AWS key and was planning on writing about it.
However, while Facebook had no qualms with Wes writing up his finding and exploitation of the bug, it did not find the idea of him discussing his access of S3 or releasing the data he had taken to its liking, since the intentional extrafilteration of data was neither part of Facebooks bug bounty program nor was it advisable to release such details to the general public.
The Facebook CSO also called Wineberg’s boss, the Sylan CEO Jay Kaplan, and said that the over zealous code breaker simply couldn’t be allowed to set a precedent so that “anybody can exfiltrate unnecessary amounts of data and call it a part of legitimate bug research.”
However, it turned out that Wineberg wasnt acting on behalf of his company at all — nothing wrong with that — and instead, was working on this issue on his own free time. Nevertheless, the call did involve a mention of Facebook’s legal team and the law enforcement agencies, acting if not against the security firm than against Wineberg himself.
Meanwhile, Facebook has closed down all the avenues used by the over thorough researcher and says that all the related keys have been rotated. Also, the mention of law enforcement seems to have brought down the errant programmer a couple of notches, who now wants Synack to confirm that no details were ever made public and that all the accessed and downloaded data from Instagram had been deleted, while also agreeing to keep the findings and interactions private.
However he did express his disappointment at the treatment meted out to him and said that security researchers needed to be given appropriate treatment and protection.
In my opinion, the best course of action was to simply be transparent with all ofmy findings and interactions. I am not looking to shame any individuals or companies, but I do believe that my treatment in this situation was completely inappropriate.
Well, the matter is certainly very compllicated and its quite difficult to judge the right from the wrong. However, there is an important lesson to be drawn from this.
Although over the years, the situation for security researchers has improved to the point where they are no longer indicriminately branded as hackers, the incident goes to show that a much deeper level of understanding and comfort between researchers and the corporations in question is still lacking and is much needed for the sake of mutual benefits and consumer safety. Until that happens, the fullest potential of these so called bounty programs, would also remain far from realization.