Meta has announced that it will reward folks who report the theft of Facebook user data that has been secretly scraped by bad actors. The company will also be rewarding the discovery of bugs that lead to data scraping in the first place, which is fairly ordinary stuff. Data scraping is quite rampant, and the user information collected by malicious parties by simply running a web script or seeding a compromised app can fetch a high price on the black market.
The scraped dataset, which can include anything from names and phone numbers to email addresses and financial details, can be used for targeted advertising, extortion, and many other ills. In 2021 alone, Facebook and LinkedIn both disclosed data theft that affected over half a billion users on each platform. It appears that Facebook wants to solve the data scraping headache for good by dangling a reward.
Meta says its bug bounty program will now also cover verifiable reports of data scraping that involves at least 100,000 unique Facebook user records. However, the scraped data must include Personally Identifiable Information (PII) such as email addresses, mobile numbers, residential addresses, religious inclination, and political affiliation among others. Additionally, the scraped data must be available online or on a website that is not owned by Meta, Facebook's newly-renamed parent company. As for the bounty, Facebook says it will dole out a minimum reward of $500 for each scraping bug or dataset reported.
The Leaks Gotta Stop Somehow
As far as scraped data is concerned, the dataset could have been extracted via different sources. In some cases, a vast amount of user data is collected if there are configuration flaws with third-party application APIs. In such cases, Facebook will promptly get in touch with developers to plug the leak. In scenarios where the scraped data is being hosted elsewhere, Facebook will ask the respective file-sharing or cloud storage platform t0 take it all offline. Misconfigured S3 buckets on Amazon Web Services have already resulted in some serious data leaks in 2o21 so far. A leak in S3 bucket of Turkish beauty brand Cosmolog Kozmetik exposed the data of nearly half a million users, per InfoSecurity. However, there’s a caveat when it comes to giving out the price.
For reports of scraped datasets, Meta says it will reward them in the form of charity donations to nonprofits selected by the researcher behind the discovery. Facebook says it is doing to ensure that it doesn’t end up encouraging scraping attacks. However, if a cybersecurity expert spots a scraping bug, the efforts will be rewarded with a paycheck, as is the case with discovering vulnerabilities in other Facebook systems. It must be noted here that the data scraping bounty described above covers only Facebook and not sister platforms including Instagram or WhatsApp. Instagram is not exactly immune to data leaks, and with an alleged 2 billion users under its belt, the risks are higher than ever.
Sources: Meta, InfoSecurity