“Facebook is basically pitting the whitehat against the blackhat in a kind of vulnerability discovery arms-race, without certificate pinning in the traditional role of blinding both”
New Facebook whitehat settings on the social media platform allow users to intercept or manipulate traffic between their Facebook apps and its servers by turning off common security measures such as Certificate Pinning.
Certificate Pinning is a well-respected security method commonly used by mobile applications to protect the confidentiality and integrity of traffic between an end-user and, in this case, Facebook’s infrastructure.
Such measures are in place to protect users from threat actors who wish to intercept data traffic or conduct man-in-the-middle attacks.
Unfortunately they may work too well; security researchers have pointed out to Facebook that they are making it difficult for them to test the platform for server-side security vulnerabilities.
Facebook wrote in a security post that these new settings are a means for security researchers to “analyze network traffic on Facebook, Messenger and Instagram Android applications on their own accounts for bug bounty purposes.”
The move was welcomed by security professionals. Chris Wallis, founder of the UK’s Intruder, told Computer Business Review: “This is actually awesome from Facebook, in terms of their commitment to securing their apps by making them easily testable by the whitehat community. Lots of app makers add security features for normal users, but it’s a rare company that spends time adding features specifically to help whitehats.”
Facebook Whitehat Settings Let You Analyse Your Account Traffic
When the whitehat setting is enabled it allows security researchers to conduct tests on their own Facebook-associated accounts.
Charl van der Walt, Chief Security Strategy Officer at SecureData, informed Computer Business Review that when a tester turns on these settings: “They basically make SSL/TLS man-in-the-model ‘attacks’ possible. They then use such an attack against themselves to insert a proxy or traffic/protocol analyser into the network stream between their instance of the mobile app and Facebook’s servers.”
“Once they have the proxy inserted, they can analyse the traffic between the mobile app and the back-end application on Facebook’s servers and from there start to seek out vulnerabilities on both components.”
If certificate pinning is still in place then this whole process is considerably more difficult for vulnerability testers and this comes with an increased cost to the security researcher. The whitehat settings help to reduce the cost, allowing bug bounty hunters with smaller budgets enter into the game.
Facebook have stated that with the new settings users can:
- Enable proxy for Platform API requests (applies to Facebook on Android only)
- Allow user installed Certificate Authorities
- Choose not to use TLS 1.3 to allow you to work with proxies such as Burp or Charles which currently only support up to TLS 1.2
“These settings are configured in two places. The first is via the Web UI and the second is via the app UI. In other words, to access these settings from your mobile device, you must first enabled them from your Facebook account through the Web,” Facebook notes.
The Ever Evolving Race Between Bounty Hunters and Threat Actors
The move has been welcomed by security experts and is indicative of expanded larger bug bounty hunter engagement by the social media giant, which in 2018 awarded over $1.1 million to researchers from over a 100 countries.
In that same year it reported receiving over 17,800 reports and subsequently issued more than 700 bounties. The average monetary award was $1,500, with the value of awards depending on the severity of the vulnerability discovered.
The new settings pose little to no risk to the average user as they would have to enable the feature themselves, while at the same time a threat actor would have to be aware of the vulnerable user and place themselves in a position to capitalise on it. Both scenarios are unlikely. Charl van der Walt told us that: “The more interesting aspect here is that blackhat researchers can now also use this feature to conduct their own research and thus potentially find vulnerabilities that they don’t disclose.”
“It seems to me Facebook is basically pitting the whitehat against the blackhat in a kind of vulnerability discovery arms-race, without certificate pinning in the traditional role of blinding both. I would imagine that a determined attacker would be less affected by pinning then the bounty hunter, who is operating on a much smaller budget. In that sense pinning impacts the whitehat more than the black hat and thus the tradeoff would seem reasonable.”