A web security researcher has accused Facebook of trying to threaten and intimidate him after he discovered a vulnerability in the software behind Instagram, and reported it to the company. Facebook rewards people for reporting security flaws to it, as part of its bug bounty program. Payments for new bugs start at $2,500.
Facebook chief security officer Alex Stamos, however, says the researcher tried to hold the company up for more money and behaved in a “not ethical” manner by using the bug to download data.
The researcher, Wes Wineberg wrote a long blog post explaining the saga. “To say that I had gained access to basically all of Instagram’s secret key material would probably be a fair statement,” said Wineberg. “With the keys I obtained, I could now easily impersonate Instagram, or impersonate any valid user or staff member.”
He reported it to Facebook, but heard nothing back. Later, Wineberg got a call from his boss and the CEO of the company he does contract work for, Synack.
According to Wineberg, Facebook’s Stamos had gone directly to his employer to allege improper behaviour after he found the Instagram bug. “Alex then stated that he did not want to have to get Facebook’s legal team involved, but that he wasn’t sure if this was something he needed to go to law enforcement over.” Wineberg describes Facebook’s actions as [ensuring] “that my findings could be effectively covered up.”
Stamos, in a post on Facebook, refutes every one of Wineberg’s claims. He did not, as Wineberg claims, threaten to get him fired but said his “behaviour reflected poorly on him and on Synack.”
(It’s worth noting that Wineberg is a contractor for Synack, not a full-time employee. He also says he contacted Facebook through a person email, not his work email, implying that it was Stamos who made the connection to Synack.)
Facebook has previously been receptive to those who find bugs in its products and report them to the company. An undiscovered bug can fall into the wrong hands and be used for any number of reasons, many of them bad.
“Despite all efforts to follow Facebook’s rules, I was now being threatened with legal and criminal charges,” wrote Wineberg. “If the company I worked for was not as understanding of security research I could have easily lost my job over this.”
For his part, Stamos describes Wineberg’s investigation of the bug as “going well above and beyond what is necessary” which resulted in the call to his employer. He denies threatening legal action.
Wineberg told Threatpost, a blog about softwear security, that he had deleted all of the data he found.
Business Insider has reached out to Facebook to ask about the claims. We will update the post when we hear back.