Professionalism/Wesley Wineberg and Facebook

Wesley Wineberg, a professional security researcher at a firm called Synack, regularly participates in the bug bounties offered by large tech companies, both as part of his work and in his own time. In late October of 2015, Wineberg discovered what he later called a “million dollar bug” in Facebook’s infrastructure; his actions and the response he received from Instagram are the subject of this chapter.taruncharan_948 ?! wall understand but not so sure to join please

Bug Bounties
Many companies will reward anyone who discloses bugs in their software; such a reward is called a bug bounty. The first bug bounty program was started by Netscape in 1995, which gave cash or merchandise to users that were the first to find bugs in a beta version of Netscape Navigator. Bug bounties allow companies to cheaply find vulnerabilities and to incentivize users to disclose bugs instead of exploiting them. Many bug bounty programs, such as Facebook's and Google's, will pay out higher rewards for more important bugs.

Facebook's Bug Bounty Program
In 2011, Facebook launched its own bug bounty program. As of December 2015, Facebook has paid over $4.3 million in bug bounties. Facebook has sole discretion in deciding how much to pay for a bug, judging each bug's value based on its "impact, communication, target, and secondary damage". The largest single payout by Facebook was for a remote code execution disclosed in 2014, for which it paid $33,500. There is no official cap on the size of Facebook's payouts. Ryan McGeehan, at the time the manager of Facebook's security incident response team, said, “If there’s a million-dollar bug, we will pay it out.”

The Exploit
On October 21, 2015, Wineberg received a tip from an acquaintance that a server owned by Instagram (a subsidiary of Facebook) may be vulnerable to a particular type of attack called  remote code execution. Wineberg, having previously participated in Facebook’s bug bounty program, followed up on the lead and executed an attack against this vulnerable server, gaining access to it. He submitted a bug report to Facebook, expecting a bounty. Facebook responded the next day, confirming the vulnerability. Meanwhile, Wineberg proceeded to see how much the vulnerability exposed.

Wineberg quickly discovered that the server which he had infiltrated contained a number of administrator accounts - owned and used by Instragram employees for their work - with weak passwords; particularly egregious examples included “password” and “instagram.” After receiving confirmation that Facebook was investigating the first vulnerability he had submitted, Wineberg submitted another bug report, which included information about these weak passwords and how they gave him administrator access on the server. This second report was submitted on October 22nd.

Wineberg did not receive a response from Facebook right away, and continued to see what he could do with his newfound access. The weak passwords allowed him, by October 24th, to gain access to an Amazon S3 repository owned by Instagram. It contained 83 unique buckets, of which Wineberg could access just one. However, when he investigated that bucket, he discovered that it contained the credentials he needed to access the other 82 buckets (privilege escalation) - which contained much sensitive information, including Instagram’s source code, private user data, and all of Instagram’s secret keys. In other words, Wineberg had the ability to cause all sorts of havoc or do a lot of damage to Instagram.

Facebook's Response
Wineberg did not receive a response from Facebook about the second vulnerability he submitted until a few days later, on October 28th. Facebook did not immediately accept this vulnerability, like they had with the other, but instead began a dialogue that lasted roughly a month in which they gave increasingly evasive answers about why they did not want to pay out a bounty for this vulnerability. They eventually settled on the claim that it “violates expectations of preserving user privacy.” The full transcripts of the conversation were later published online by Wineberg.

When Facebook finally told Wineberg that his second bounty submission would not be accepted, Wineberg submitted a third bug report, in which he detailed his access to Instagram’s secret keys, etc. He submitted this report in the afternoon of December 1st, and then, that evening, he received a phone call from his manager at work (note that Wineberg has been working on this bounty on his own time exclusively at this point, according to him). The manager added the CEO to the call, who told Wineberg how he had just been called by Alex Stamos, Facebook’s chief security officer. Stamos had requested that Wineberg not discuss his access to the S3 buckets or publish the data he had recovered from them, and told Synack’s CEO that he “wanted to keep this out of the hands of the lawyers on both sides.”

Wineberg then published an account of the situation, in which he says that he “believe[s] that [his] treatment in this situation was completely inappropriate,” in particular referring to Stamos contacting him indirectly through the CEO of the company at which he worked. Stamos responded with a blog post, in which he defended his actions and presented his own account of the episode; in particular, he defended his contacting Wes through his employer by claiming that “finding somebody responsible who could mediate was the least aggressive of several possible next steps.” In addition, Stamos detailed how he believed that Wineberg’s escalation of privilege using weak passwords and exfiltration of data were unethical behavior.

Participant Reactions
Many people and groups have stakes in this incident, including ones other than Stamos, Wineberg, and their respective companies. At a broad level these groups often share similar goals, such as securing Instagram and the data of its users and employees, but disagree about how far bug bounty hunters like Wineberg should go to achieve these goals.

Facebook and Similar Companies
Facebook has a duty to provide safe services to its users so that their private information cannot be used in unauthorized ways. As Chief Security Officer, Alex Stamos is directly responsible for this duty. With over 1 billion active users and roughly 14,000 employees as of March 2016, only some of whom work on finding and fixing bugs, Facebook has a strong interest in making it easy for outsiders to help them find bugs.

If this were Facebook’s only interest, Stamos and his security team likely would have been happy to receive Wineberg’s reports. However, Facebook’s duty to its users means that the company cannot allow security researchers to violate user privacy or threaten the stability or availability of Facebook’s services. Facebook also has an interest in keeping the technological details of its operation hidden from non-employees. According to Stamos, Wineberg used the bug he found to take this kind of data, which Stamos claimed was “not useful in understanding and addressing the core issue, and was not ethical behavior.”

Other companies balance these priorities differently as they create sets of rules for bug bounty hunters to follow. These companies have an interest in making their rules as explicit as possible to prevent situations like this from occurring. For example, Facebook amended its rules to explicitly prohibit exploiting any discovered bugs in order to find more. Around the time of this incident, Tumblr updated their rules to explicitly tell researchers to stop and submit a report when they discover bugs like the one Wineberg originally found. These companies have strong interests in finding and fixing bugs, but these interests are limited by their other duties.

Synack and Other Employers
Though Synack is a security research firm, Wineberg was not representing the company when he investigated and reported the bugs to Facebook. Nevertheless, Alex Stamos personally called the CEO of Synack to address Wineberg’s behavior. In online discussions, many people have speculated that the purpose of calling Synack was to get Wineberg fired and that regardless of the purpose this was unethical behavior by Stamos. As the head of a small company that does security research, Synack’s CEO understood Wineberg’s position and stood by him, but it is easy to imagine that CEOs of other companies with less knowledge of security research would not stand by an employee if faced with legal threats from Facebook. Luckily for Wineberg, his boss knew the professional standards of security research and chose to support him.

Independent Security Researchers
Security researchers do not agree whether Wineberg’s behavior was ethical and professional. One argued that it was “borderline criminal” and another argued that Wineberg’s behavior was unprofessional, while others stood by Wineberg. This incident shows that even well-respected professionals in a particular field can have differing views as to ethical behavior - what is viewed as excellent to some may be seen as taking it too far by others. The differing standards on bug bounties held by researchers and companies show just how wide this divide is; this study of Wineberg and Facebook shows just one glimpse of the debate.

Conclusion
The debate on the scope of bug bounty programs and the responsibilities of security researchers when searching for bugs is one that existed long before this controversy and is far from being resolved. Bug bounty programs were designed to encourage well-intentioned researchers to responsibly find and submit bugs without threats of legal action. In this case, that system broke down. Wesley Wineberg may have gone too far in an attempt to find bugs in Instagram, while Facebook's Chief Security Officer Alex Stamos may have crossed the line when he responded by calling Wineberg's employer and threatened legal action. Though this incident inspired companies like Facebook to be more explicit in their bug bounty rules, the rules remain inconsistent between companies and security researchers disagree as to what constitutes ethical, professional bug bounty hunting behavior. As time goes on, more cases will surely arise that highlight the uncertainty regarding professional ethics and well-intentioned hacking. Those cases could provide interesting extensions for this chapter.