While the social network itself takes steps to catch and curtail these automated programs called scrapers, the platform has now decided to enlist the help of independent security researchers by expanding its bug bounty programs. Its goal is to not just fix the bugs that leak such details about its users but also to help find such databases that hold scraped information. “The bug bounty program will help fill the gaps in Facebook’s defenses against scraping and alert Meta to scraped databases that surface on the web,” Paul Bischoff, privacy advocate and editor of Infosec research outlet Comparitech, told Lifewire over email.
The Scraping Menace
Meta referred to scraping as an “internet-wide challenge” as it announced the expansion of its bug bounty program, which was initially designed to find software glitches in the code that powers the platform. According to Bischoff, many platforms have outlawed the use of scrapers, even for the information they hold that’s publicly accessible. That’s because personally identifiable information (PII), such as usernames, birthdates, email addresses, and location, are often used by bad actors to target users in elaborate social engineering campaigns. However, Bischoff adds that Facebook has struggled to distinguish between scrapers and legitimate users, which has resulted in huge data leaks in the past. He specifically points to the leak that surfaced in March 2020 when Comparitech teamed up with security researcher Bob Diachenko, and discovered a database that contained the user IDs and phone numbers of over 300 million Facebook users. But scraping isn’t outright illegal—at best it exists in a techno-legal gray area since it does have legitimate uses as well. “Even though scraping is against Facebook’s terms of use, it’s not strictly illegal. Some scraping operations are malicious, but others are academic, or journalistic,” clarified Bischoff.
Wanted DOA
In its announcement of the expansion of the bug bounty program, Facebook mentioned that since its inception, the bug bounty initiative had awarded over 800 bounties, totaling over $2.3 million to researchers from more than 46 countries. Tackling “new challenges” such as scraping was a natural extension of the program. According to Meta, the expanded bug bounty program will reward security researchers on two fronts. One, as part of its larger security strategy to make scraping harder and “more costly” for threat actors, Meta will award reports about bugs in its platform that bad actors can exploit to bypass the barriers it’s erected to dissuade scraping. Secondly, the platform said it’ll also award data bounty hunters who inform it about unprotected databases available online that contain the scraped PII of at least 100,000 unique Facebook users. “If we confirm that user PII was scraped and is now available online on a non-Meta site, we will work to take appropriate measures, which may include working with the relevant entity to remove the dataset or seeking legal means to help ensure the issue is addressed,” Meta noted in the announcement. It added that if the scrape was because of a misconfiguration in the application of an external developer, the platform would work with the developer to plug the leak. On the other hand, it’ll also make efforts to ensure that the hosting service where the hackers have housed the scraped database takes it down. The rewards for the scraping bounties start at $500, and while the scraping bugs entail monetary payouts, information about scraped databases will be awarded in the form of charity donations to nonprofit organizations of the reporters’ choosing. “To the best of our knowledge, this is the first scraping bug bounty program in the industry,” Meta summed up. “We will work to address feedback from our top bounty hunters before expanding the scope to a greater audience.”