Facebook's security glitches show the limits of bug bounties
Repeated security incidents at Facebook demonstrate that most organizations today — including tech giants — do not have adequate visibility into the many thousands of vulnerabilities facing their networks and IT assets that could lead to unauthorized exposure of sensitive information that could impact payments and other accounts.
Even when gaps in security are detected, most companies struggle to decide which remediations to prioritize, given limited IT resources and manpower.
In the next year, we will start to see organizations adopt security tools that leverage artificial intelligence and machine learning to continuously monitor for vulnerabilities and attack vectors, and to produce lists of prioritized fixes based on potential business impact. That is the only way companies will be able to stay ahead of the ever-growing volume security vulnerabilities and protect their most important assets.
Facebook’s latest API bug was active in its system for 12 days in September and affected the photos of up to 6.8 million of the social media platform’s users.
The bug allowed third-party apps access to more photos that belonged to users than what is normally shared in a timeline, such as photos shared on Facebook stories, Marketplace and photos that were queued to be posted to the site but later canceled. This news comes at a bad time for Facebook, as the company was already facing scrutiny for its September disclosure of a breach of 50 million users’ personal information.
Facebook failed to report this bug to Europe’s Information and Data Protection Commissioner, putting the company at risk of receiving sanctions under GDPR. However, these penalties must be the least of Facebook’s worries right now — mishandling the disclosure of this security incident after experiencing several other security mishaps this year not only gives the company a poor public image, it can also affect its stock price over the long term.
It’s interesting that Facebook announced the API bug one day after news broke that the company paid over $1.1 million in bug bounties in 2018, suggesting perhaps an attempt to highlight that the company is doing its due diligence in proactively hunting for bugs. The problem with bug bounties is that while it can complement vulnerability management programs, it does not offer the comprehensive coverage an enterprise requires. There are no brownie points for companies that suffer a security incident but spend a lot of money on largely ineffective security measures.