The Facebook flaw exposed users' webcams.
Photo: Mayu Kanamori
Facebook has patched a security vulnerability that would have
allowed hackers to turn on users' webcams without their knowledge and
post videos to their profiles.
The bug was discovered in July by two computer-security
researchers in India, according to Fred Wolens, spokesman for Facebook.
Aditya Gupta and Subho Halder, founders of a consulting firm called XY
Security, reported their findings to Facebook, which paid them $US2500
for the information. Facebook seems to have deemed this particular bug
as "serious" because the company paid five times its usual price, the
two researchers said.
Facebook is one of a few technology companies - along with Google and Mozilla, maker of the Firefox browser -
encouraging outsiders to hack into their products in return for payouts. Some companies, notably Microsoft, have shunned "bug bounties" because they might wind up rewarding criminals.
An investigation by Facebook when it fixed the webcam hole found that no users appeared to be affected, Wolens said.
"This vulnerability, like many others we provide a bounty
for, was only theoretical, and we have seen no evidence that it has been
exploited in the wild," Wolens wrote in an email. "Essentially, several
things would need to go wrong - a user would need to be tricked into
visiting a malicious page and clicking to activate their camera, and
then after some time period, tricked into clicking again to stop/publish
the video."
Bounty reward
Many companies choose to pay researchers such as XY Security
for bugs because the alternative can be much worse. Such information can
fetch high prices on the black market from criminals who try to find
ways to shake down internet surfers, costing site administrators more in
the end.
Facebook's "peeping Tom" bug could have been exploited on
either Windows or Mac computers, the researchers said. The Facebook
vulnerability found by XY Security was related to how the site verified
requests to record and post webcam video, they said. People who had
previously granted Facebook's site access to their webcams would have
been vulnerable, he said.
Facebook, Google and Mozilla have paid researchers more than
$US2 million combined through their bounty programs, according to the
companies. Google has paid as much as $US60,000 (plus a free laptop)
for information about weaknesses in its Chrome web browser, and Facebook
has expanded its program to cover not only the Facebook site but also
the company's corporate network.
Before reporting the webcam bug to Facebook, Gupta and Halder
had been building a reputation in the tech industry as professional
bug-bounty hunters. The researchers, who are in their early-20s, had
previously reported software vulnerabilities to Apple, Google, Microsoft
and eBay's PayPal, they said.
smh.com.au 2 Jan 2013
To the uneducated masses, the so called 'flaws' seem legitimate, but from an Information Technology perspective, the truth is quite different.
The lines of programming or code to activate a user's webcam are quire specific, and cannot occur as a random 'error'.
Google, whilst on it's mapping mission, also carried wifi sniffing tools, to seek users details. Once this was uncovered, Google mentioned that it was an 'error'. Camera equipment and wifi sniffing and logging technologies are two very distinctly different types of technologies.
Governments and business actually support privacy breaches by companies, as they (governments) also use these companies to covertly spy on the masses.
There is no policy or urgency to stop this kind of practice.
No comments:
Post a Comment