Bug hunter exposes security hole, Facebook cries foul

A security researcher who unearthed a major Instagram hole has got into trouble with Facebook that accused him of unethical behaviour.

Wesley Wineberg, a well-known bug hunter, was checking the vulnerability of an exposed Amazon server when he found a hole that could allow hackers to run code remotely, and submitted a ticket to the bug bounty team, Engadget.com reported.

After confirming the bug, he decided to dig a bit deeper, and then things took an ugly turn. He managed to crack some weak employee passwords, and submitted another report. Using that info, he obtained a key that allowed him to access server files.

To demonstrate the extent of the vulnerability, he downloaded several "buckets" of non-user data from Instagram's Amazon servers.

The data, he discovered, gave him access to source code and secret authentication codes.

"To say that I had gained access to basically all of Instagram's secret key material would probably be a fair statement," he wrote in a blog post.

Having paid Wineberg $2,500 for discovering the earlier bug, Facebook was, this time around, far from grateful.

It declined to pay him for the later bug submissions, saying he had violated the terms of its bug bounty programme.

In a Facebook post, CSO Alex Stamos wrote: "Intentional exfiltration of data is not authorized by our bug bounty programme, is not useful in understanding and addressing the core issue, and was not ethical behaviour by Wes."

Stamos was also reported as telling Synack's CEO -- Wineberg's employer -- that "we could not allow Wes to set a precedent that anybody can exfiltrate unnecessary amounts of data and call it a part of legitimate bug research".