Facebook expands bug bounty program to include scraping attacks, two years after it was scraped – hard

But still allows limited harvesting


Meta has expanded its bug bounty program to include payouts for reports of scraping attacks on Facebook – but hold your applause.

The antisocial network and aspiring Third Life operator is no stranger to scraping – the practice of using automated tools to harvest information from open sources such as people's profile pages. In October, Facebook sued a chap who it alleges scraped and sold data pertaining to 178 million users. April 2021 brought the revelation that data describing 533 million Facebook accounts had been scraped and, after being sold in dark places for a year or two, had been dumped on the web for free.

The data revealed in that latter incident was obtained in 2019 or earlier, and Facebook admitted it was made possible via a flaw in its own software.

In a textbook Zuckerberg response at the time, the internet goliath pointed out that it works very hard to stop bad things happening, that scraping is not permitted under its terms of use, and the people behind the info collection had therefore been very naughty and mean.

Now the data-harvesting giant has decided to act – sort of – by crowdsourcing its vigilance.

"We're tackling the industry-wide issue of scraping by expanding our bug bounty program to reward valid reports of scraping bugs and unprotected data sets," states an update from the Facebook security team.

"The goal of this program is to find bugs that attackers utilize to bypass scraping limitations to access data at greater scale than the product intended."

Note, dear reader, that the above quote indicates that Facebook limits scraping and is comfortable with it happening at limited scale.

"Our goal is to quickly identify and counter scenarios that might make scraping less costly to execute," the post by Facebooker Dan Gurfinkel adds.

Again, Facebook appears to be OK with scraping, so long as it is really hard – or at least expensive – to do.

Another extension to Facebook's bug bounty program is rewards for those who find "unprotected or openly public data sets containing at least 100,000 unique Facebook user records that include information such as email, phone number, physical address, religious, or political affiliation."

Only data that is unique – and which Meta has not seen in the wild before – will earn a bounty.

If the company validates reports, it will "make efforts" to have the scraped data removed "or consider legal means to address the issue."

Note the consideration of legal action, not the threat that a hundred lawyers funded by Meta's $86bn annual revenue will descend upon the accused, hurling ferociously worded letters threatening to sue perps into the Stone Age.

Meta's bounty program for these datasets only offers payments to reporters' preferred charities – lest scrapers report their own work for monetary gain. ®


Other stories you might like

Biting the hand that feeds IT © 1998–2022