Meta (formally Facebook) has announced that its existing Bug Bounty program will expand to include scraping attacks, a type of security incident that has affected the social network considerably in the past.
Data scraping is a procedure that lets attackers gather bulk data of any Facebook user that has the profile set to public, and sometimes even from private accounts. Surprisingly, many users keep their profiles public, allowing anyone to view and even collect posted information. While it might not seem like a big deal, people tend to share a lot of information online, sometimes including private data.
Attackers can correlate data collected from Facebook with other databases, offering valuable information on users. Criminals might sell the resulting databases on hacking forums or through the darknet. The fact that Meta expanded the Bug Bounty program to include these types of attacks means they now take the problem much more seriously.
“Starting as a private bounty track for our Gold+ HackerPlus researchers, our bug bounty program will award reports about scraping methods, even if the data they target is public,” said Meta in a blog post. “Specifically, we’re looking to find bugs that enable attackers to bypass scraping limitations to access data at greater scale than the product intended.”
Even more interesting is that Meta also wants to know about scraped databases already online. Of course, scraping the social network and building a database to get this reward won’t help.
“We will reward reports of unprotected or openly public databases containing at least 100,000 unique Facebook user records with PII or sensitive data (e.g. email, phone number, physical address, religious or political affiliation). The reported dataset must be unique and not previously known or reported to Meta,” the company added.
Facebook is one of the main social networks affected by this security problem. Over time, databases with data on hundreds of millions of users have appeared online, sometimes from scraping and even due to bugs in the platform itself.