Facebook announced the expansion of the reward program for finding errors associated with fraudulent access tokens.
When authorized in an application via Facebook, the user receives a unique access token. Once in the hands of an attacker, such a token can be used on the basis of permissions set by its owner.
Now the project involves third-party sites and applications, namely:
- Internet.org / Free Basics;
- Open Source platform (based on Facebook);
Developers Facebook updated the terms of service, which included the main criteria for filing a complaint about the error. The main one is that the complaint should have a clear confirmation, demonstrating how to receive tokens. Claim can be made by contacting Facebook security.
The Facebook team is ready to pay $ 500 for the vulnerability found in the application or on the site, if the report on it is compiled correctly. Complaints will be accepted only if the user has found an error with the help of passive information viewing and did not use it in any way for own purposes.
The company also established a list of problems for which this program does not apply:
- spam and social engineering techniques;
- denial of service attacks;
- introduction of content if the risk is not proven;
- security vulnerabilities in third-party applications and on third-party sites integrated with Facebook (including most of the pages on apps.facebook.com);
- execution of scripts on domains-sandboxes (for example, fbrell.com or fbsbx.com).
Raising the issue of security and speed of problem-solving, the developers of Facebook have created a tool called SapFix, which automatically generates and implements patches. The development is based on artificial intelligence, which independently finds errors in the design and offers correction options.