Facebook pays for security holes

30 August 2011
Last updated at 05:54 ET

Facebook has paid $5000 to those who found the biggest security holes in its site

Facebook has spent $40,000 (£25,000) in the first 21 days of a program that rewards the discovery of security bugs.

The bug bounty program aims to encourage security researchers to help harden Facebook against attack.

One security researcher has been rewarded with more than $7,000 for finding six serious bugs in the social networking site.

The program runs alongside Facebook’s efforts to police the code it creates that keeps the social site running.

A blog post by Facebook chief security officer Joe Sullivan revealed some information about the early days of the bug bounty program.

He said the program had made Facebook more secure by introducing the networking site to “novel attack vectors, and helping us improve lots of corners in our code”.

The minimum amount paid for a bug is $500, said Mr Sullivan, up to a maximum of $5000 for the most serious loopholes. The maximum bounty has already been paid once, he said.

Many cyber criminals and vandals have targeted Facebook in many different ways to extract useful information from people, promote spam or fake goods.

Continue reading the main story

“Start Quote

It’s hardly surprising that the service is riddled with rogue apps and viral scams”

End Quote
Graham Cluley
Sophos

Mr Sullivan said Facebook had internal bug-hunting teams, used external auditors to vet its code and ran “bug-a-thons” to hunt out mistakes but it regularly received reports about glitches from independent security researchers.

Facebook set up a system to handle these reports in 2010 which promised not to take legal action against those that find bugs and gave it chance to assess them.

Paying those that report problems was the logical next step for the disclosure system, he said.

Graham Cluley, senior technology consultant at Sophos, said many other firms, including Google and Mozilla, run similar schemes that have proved useful in rooting out bugs.

However, he said, many criminally-minded bug spotters might get more for what they find if they sell the knowledge on an underground market.

He added that the bug bounty scheme might be missing the biggest source of security problems on Facebook.

“They’re specifically not going to reward people for identifying rogue third party Facebook apps, clickjacking scams and the like,” he said. “It’s those sorts of problems which are much more commonly encountered by Facebook users and have arguably impacted more people.”

Facebook should consider setting up a “walled garden” that only allowed vetted applications from approved developers to connect to the social networking site, he said.

“Facebook claims there are over one million developers on the Facebook platform, so it’s hardly surprising that the service is riddled with rogue apps and viral scams,” he said.

Share and Enjoy

Hands on: HTC Status social smart phone

In recent years, Twitter and Facebook have taken over as a way for people to socialize, meet new friends and get breaking news.

Since social media has become so dominant over the years, Facebook and Twitter applications have become readily available to people with smart phones. Now, mobile uploads, status updates and everyday banter can be published on a moment’s notice. This has been a fairly easy task, but the HTC Status has made it even easier.

The Status, which is geared towards social networking addicts, comes equipped with a ‘Facebook button’ to simplify uploading photos and status updates. The appropriately-named Status also has cameras on the front and back of the phone which is useful for those who enjoy taking self-portraits, or as HTC advertises, can be used as a mirror.

The Status also takes the best of both worlds and has both a touch screen and a QWERTY keyboard.

SOCIAL NETWORKING

The Status is the first smart phone on the market to have its own designated Facebook button. With just a simple click of the trademarked ‘F’ button, photos and status updates can be updated in a matter of seconds. The response time varies, however, as it took no time at all for an uploaded photo to show up in the Facebook News Feed, but a few minutes for a status update to post.

The phone also has a Twitter application which is quite user friendly (although there’s no designated button for it). The application also allows photo uploads, and updates much like Facebook.  Again, the time for the Twitter update to appear on the live feed varied between instant and five minutes.

The most appealing social networking feature of the Status however is the FriendStream, which combines updates from both the users’ Twitter and Facebook accounts. This makes it easier to catch up on breaking news and friend updates rather than having to check both applications.

Another interesting feature is the Facebook/calling sync, so that when someone calls the phone, their latest Facebook photo and status appear on the call display.

CAMERA

The Status features two cameras “ a 5mpx camera at the back and a VGA camera located at the front. The 5mpx camera at the back is comparable to an iPhone’s camera. The images turn out much better than early BlackBerry photos, but in certain light, it’s not clear enough to look like it was taken with an actual digital camera. The VGA camera, or the ‘mirror’ at the front, is not nearly as clear as the 5mpx camera and under certain light gives off a reddish tinge.

Special effects like sepia and aqua can also be used during or after taking the photo. It’s a neat feature to have, but something more useful like red-eye removal would have been more beneficial.

KEYPAD

The touch screen/QWERTY keypad combo is much like RIM’s latest BlackBerry Bold. On the Status, the touch screen was very responsive and no issues were faced while using the phone. The QWERTY keypad was also responsive, the letters were more spaced out than on a BlackBerry and, depending on the user, could be considered either good or bad. The keypad also has a ‘.com’ button which makes entering a website or email address a lot easier and faster.

CONCERNS

In general, there weren’t many problems with the Status, however one issue was when the phone was in use for a long period of time, the device would get rather hot, not so much that it burns the skin, but enough to raise a bit of a concern.

The Status would be a great phone for someone who really enjoys social networking. The Facebook, Twitter and FriendStream features all work quickly and are easy to use and understand. However, for someone who doesn’t have any interest in social media, this phone is probably not for them.

Available now through TELUS Mobility.

Share and Enjoy