Researcher claims Facebook tried to gag him over critical flaw

A security researcher who found a critical flaw in Instagram is claiming that Facebook's chief security officer Alex Stamos tried to get him fired over the discovery.

Earlier this year Wes Wineberg, a contractor with enterprise security intelligence firm Synack, received a tip on IRC about an Instagram server with an open admin panel that could be vulnerable to a flaw in Ruby, since it was using an older version of the software.

After finding a default security code for Ruby online he tried it out and got accepted, enabling remote code execution (RCE) that gave him access to some of the command line. After confirming the flaw was exploitable, he then wrote up a couple of bug reports and submitted them to the Facebook security team's bug bounty program.

But Wineberg decided to dig a little deeper. He'd submitted bugs to Facebook before and its terms and conditions ask for evidence of flaws that allow deep penetration of the firm's servers, as long as doing so doesn't cause server downtime. So he decided to go looking.

Using the RCE flaw, he checked out the user accounts that were stored on the compromised server and found 60 from Facebook and Instagram employees. Sensibly, the account passwords were encrypted with bcrypt, but he ran them though John the Ripper, an open source password cracker capable of about 250 guesses a second.

"To my surprise, passwords immediately came back. In only a few minutes of password cracking, I had recovered 12 passwords!" he said. "These passwords were all extremely weak, which is why I was able to crack them despite them being bcrypt encrypted."

The passwords included six instances of "changeme," three which were the user's own name, two of "password," and one "Instagram." He logged into one account to prove it could be done and filed a third bug report to Facebook. The company firewalled the server shortly afterwards.

Digging deeper

However, after a closer examination of a server configuration file, Wineberg found an Amazon Web Services key-pair. A scan revealed 82 different AWS S3 storage buckets associated with the key, but only one of them could be opened. In that he found a second key pair that opened up all 82 buckets.

In there he found Instagram's crown jewels. The buckets stored the source code for the firm's servers, SSL certificates and private keys for Instagram.com, iOS and Android app signing keys, and email server credentials.

"To say that I had gained access to basically all of Instagram's secret key material would probably be a fair statement," Wineberg said.

"With the keys I obtained, I could now easily impersonate Instagram, or impersonate any valid user or staff member. While out of scope, I would have easily been able to gain full access to any user's account, private pictures and data."

He filed a detailed report to Facebook indicating seven areas of weakness involved in the hack, and on December 1 sent it in. It was then that the shit hit the fan. Facebook's CSO called Wineberg's boss at Synack the same day for a little chat.

Stamos informed Synack's CEO Jay Kaplan that Wineberg had been poking around in Facebook's servers and the company took a very dim view of the activity. Stamos said he didn't want to get lawyers involved, but did need assurances that Wineberg wouldn't be publishing anything on how he got into the S3 buckets and that he had deleted any data retrieved.

"I did not threaten legal action against Synack or Wes nor did I ask for Wes to be fired," Stamos said in a Facebook post. "I did say that Wes's behavior reflected poorly on him and on Synack, and that it was in our common best interests to focus on the legitimate RCE report and not the unnecessary pivot into S3 and downloading of data."

Timing is everything

This might sound like a case of corporate bullying, but the timeline of events is important here.

Stamos said, and Wineberg agrees, that the bug report into the initial RCE flaw was confirmed and a payout of $2,500 was made. But when he submitted the flaw report on weak user passwords, Facebook rejected the flaw, and reminded Wineberg that he wasn't supposed to be going quite so far in his research.

"In the future we expect you will make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research," the email, sent on October 28, stated.

Wineberg asked for clarification about how far he could go and on November 6 got an email from Facebook's security team, saying the team would "discourage escalating or trying to escalate access, as doing so might make your report ineligible for a bounty."

He then sent three more emails asking Facebook for clarification on the issue, but got one form response. Then, on December 1, he reported the AWS key issue and got an immediate response that the digging had violated user privacy, and stating "we do not explicitly prevent nor provide permission" to publish his findings.

What's key, from Stamos' perspective, is that Wineberg was warned not to do further digging. Wineberg feels that, since Facebook's terms and conditions don't explicitly ban this, he's in the clear and said his legal advisor agrees with him.

Fixing the fracas

In his Facebook post Stamos acknowledges many of Wineberg's points, but states that the timeline that they both agree on does indicate that the researcher crossed an ethical line.

"Those of us who spent time in the security community in the 1990's and 2000's remember the bad old days of bug reporting, when there was a constant drumbeat of stories of security researchers trying to responsibly improve security and software vendors responding to them with legal threats," he said.

"I have personally been the target of these threats, have stood behind my researchers as a co-founder of a security firm, and have acted as a pro-bono expert witness on behalf of security researchers facing civil and criminal action."

But a line has to be drawn between finding a bug and actually using it to roam around servers willy-nilly. Not only could such actions cause major problems in a company's networks – they could lead to the bad old days of companies lawyering up against the security community.

Stamos said that he thought Wineberg was an employee of Synack's because the researcher used a synack.com email address when contacting Facebook, and he blogged for the company. All the problems identified had now been fixed, he said, and Facebook is examining both its terms and conditions and the responses from its security team.

Facebook might want to take a leaf out of Microsoft's book – Redmond's T&Cs explicitly ban investigating its servers for flaws – and researchers submitting flaws to any bug bounty program should be very conversant in how the rules might be changing in light of this case.

But some in the security research community are peeved at this approach, feeling Facebook was too heavy-handed. Others support the move, saying Wineberg shouldn't have gone as far as he did in exploring Facebook's servers.

Both sides in this fight appear keen to draw a line under the affair, but the case does highlight the delicate line between legitimate research and sort-of hacking for money. Millions are paid out every year in bug bounty programs, and the system works well in supporting researchers. So long as lawyers are kept out of the picture that should continue unabated. ®