Meta expands bug bounty programme to cover data scraping

Connor Jones

16 Dec, 2021

Meta has expanded its bug bounty programme to include flaws that lead to data scraping in a move it’s describing as an industry-first.

The programme will now cover database scraping and also offer rewards for researchers who can simply show novel methods of scraping on its products – the latter of which is a first-of-its-kind programme, according to the newly rebranded parent company of Facebook.

It will begin as a private programme only available to Meta’s Gold+ HackerPlus security researchers – a title for researchers who have reported at least five valid bugs to the company – and will offer rewards to those who show how data scraping can be achieved, regardless of the degree of impact on the product.

Researchers can submit methods even if the data is public and Meta said it’s particularly looking for reports regarding logic bypass issues – flaws that permit access to data via unintended mechanisms.

Data scraping can be achieved using specially crafted scripts, often using the Python programming language, which are designed to lift the data from any given web page. These scripts can be designed to grab specific information, depending on the target and the purpose of the activity.

“We know that automated activity designed to scrape people’s public and private data targets every website or service,” said Meta in an announcement.

“We also know that it is a highly adversarial space where scrapers – be it malicious apps, websites or scripts – constantly adapt their tactics to evade detection in response to the defences we build and improve. As part of our larger security strategy to make scraping harder and more costly for the attackers, today we are beginning to reward valid reports of scraping bugs in our platform.”

The move comes more than two years after the company formerly known as Facebook first identified an issue that allowed users to scrape data of 533 million of its users. The data was leaked online, in full, by a hacker earlier this year after they ran an underground business that saw people pay small sums to access and retrieve information such as users’ phone numbers.

Meta has said it will also reward researchers who can demonstrate they can scrape datasets containing at least 100,000 Facebook user records, starting today.

To be eligible for a reward, the dataset must be unique and unknown to Meta, and contain personally identifiable information (PII) such as email addresses, phone numbers, physical addresses, or religious or political affiliations.

“If we confirm that user PII was scraped and is now available online on a non-Meta site, we will work to take appropriate measures, which may include working with the relevant entity to remove the dataset or seeking legal means to help ensure the issue is addressed,” the company said.

The maximum reward for the programme is not disclosed by Meta, but it said each successful, eligible disclosure will be rewarded with the bare minimum of $500 (£376).

Database scraping is often confused with a data breach and it represents an interesting differentiation of the two terms, despite the outcome largely being the same – user data falling into the hands of those with whom the user did not explicitly share.

Unlike data breaches, which fall under the Computer Misuse Act, there is no specific law against data scraping in the UK. However, sites can take action against individuals if the data scraping results in an infringement of intellectual property or breaches the site’s terms of service.