In a perfect world, security researchers would be able to find bugs in software, report them to vendors, get paid for their efforts and everyone would be happy. While that’s precisely how security reporting works in some cases, the information security world is far from perfect as an incident this week with Facebook’s Instagram unit clearly illustrates.
Security researcher Wesley Wineberg publicly posted an extended rant about a vulnerability he reported to Facebook regarding remote code execution (RCE) flaws with Instagram. Wineberg responsibly reported the initial RCE flaw to Facebook’s white-hat security program on Oct. 21. After that point is where this incident goes off the beaten path.
Facebook acknowledged Wineberg’s report, for which he was awarded $2,500 on Nov. 16. However, Wineberg alleges that he found other issues that allowed broad access to Instagram.
“To say that I had gained access to basically all of Instagram’s secret key material would probably be a fair statement,” Wineberg wrote in a blog post. “With the keys I obtained, I could now easily impersonate Instagram, or impersonate any valid user or staff member.”
Wineberg alerted Facebook that he intended to publicly write up his findings, which the company didn’t take lightly. According to Wineberg, Facebook’s Chief Security Officer Alex Stamos contacted the CEO of Synack, where Wineberg is a contract worker. Wineberg alleges that Stamos warned of possible legal repercussions if he were to publish his research about the Instagram risk.
To his credit, Stamos publicly responded with a Facebook note, detailing his view of the situation. Stamos agrees that Wineberg did, in fact, find and report an RCE flaw on Instagram for which Facebook awarded a bug bounty of $2,500.
The other issue alleged by Wineberg is where there is a disagreement. Stamos noted that using the RCE flaw, Wineberg found Amazon API keys and then used those keys to gain access to an Amazon S3 storage bucket that contained Instagram technical and system data.
“The fact that AWS keys can be used to access S3 is expected behavior and would not be considered a security flaw in itself,” Stamos wrote. “Intentional exfiltration of data is not authorized by our bug bounty program, is not useful in understanding and addressing the core issue, and was not ethical behavior by Wes [Wineberg].”
In terms of the alleged legal threat, Stamos admitted that he contacted Jay Kaplan, CEO of Synack, and told him that legitimate bug research does not include exfiltrating unnecessary data.
“I did not threaten legal action against Synack or Wes, nor did I ask for Wes to be fired,” Stamos wrote. “I did say that Wes’s behavior reflected poorly on him and on Synack, and that it was in our common best interests to focus on the legitimate RCE report and not the unnecessary pivot into S3 and downloading of data.”
Looking at both sides of this incident, there is a lot to be learned. First of all, Wineberg should be commended for his initial research and responsibly disclosing it to Facebook. Stamos’ quick response to Wineberg’s allegations that Facebook didn’t properly address the issues should also be applauded.
Security researchers should be free to responsibly report and then disclose information about vulnerabilities; that’s what makes us all safer. Security by obscurity just doesn’t work. That said, there are boundaries and there is no need to cross those boundaries in order to actually improve security.
What Stamos has done with this incident is to clearly explain where the boundary exists.
This is not the first time that Stamos has refuted the claims of a security researcher. Stamos officially joined Facebook in June, after being the chief information security officer at Yahoo. While at Yahoo, in October 2014, Stamos admitted that Yahoo was the victim of a breach, though not by way of the Shellshock bug, as a security researcher had alleged.
Details matter, and sometimes there is a tendency in information security to generalize complicated issues. The concern with the Wineberg allegation was that somehow Facebook wasn’t playing by the rules and was trying to silence a security researcher. As Stamos’ detailed account of the situation claims, that wasn’t the case.
“I strongly believe that security researchers should have the freedom to find and report flaws for the betterment of humanity,” Stamos wrote.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.