Security researchers discovered seven security vulnerabilities with Facebook’s corporate tools, including a file transfer service, which gave them access to hundreds of the social network’s employee usernames and passwords. Here to comment on this news are security experts Paul Farrington, Senior Solution Architect at Veracode and Lee Munson, security researcher for Comparitech.com.
Paul Farrington, Senior Solution Architect, Veracode:
The security vulnerabilities found within the corporate Facebook network demonstrates the necessity for companies to invest in monitoring and testing their web and mobile environments and servers against flaws that may leave them open to attack. While these vulnerabilities were thankfully found and flagged to Facebook as part of its bounty programme, too frequently such vulnerabilities are discovered and exploited by malicious actors, ultimately leading to serious security breaches.
As you think about the attack surface of Facebook, given its web presence on so many devices and channels, Facebook has a formidable job in keeping the bad guys out. They do deserve credit for the way in which they embrace the security community to highlight potential vulnerabilities under a responsible disclosure basis. There will be future vulnerabilities disclosed about Facebook, but their stance is commendable and is in stark contrast to some older firms who have effectively discouraged the inspection and reporting of any vulnerabilities.
While it’s clear that not all companies can afford nor wish to employ a bounty programme to discover security flaws, it is essential that all organisations are still taking active measures to ensure that their web and mobile environments and internal networks are secured. Companies often unwittingly have tens of thousands of vulnerabilities sitting to be exploited. Indeed, recently Veracode helped a global manufacturer scan its 110 third-party applications and subsequently remediated over 10,000 vulnerabilities. Without regular testing security, flaws will remain unpatched and a risk: the equivalent of locking all your windows but leaving the door wide open.
Lee Munson, Security Researcher, Comparitech:
When a company offers a bug bounty program it is opening the door to all-comers, inviting them to track down any and all vulnerabilities in its web code so, in that respect, I have no issue with researchers collecting log in credentials (as long as they deal with them in a responsible manner).
I do, however, take issue with the fact that Facebook knew about this particular backdoor and seemingly, and wilfully, left it in place. After all, the whole purpose of a bug bounty program is to identify and remediate all discovered risks.
That said, bug bounty programs remain a good idea in theory, though practice can often be an altogether different story, as we see here.”