Facebook has been working hard to repair its reputation after years of controversy, and as a part of creating a new image, the company says that it will be taking a focus on privacy and security. Facebook is taking it a step further by allowing White Hat hackers to test their security systems across all of their services.
According to Hacking Vision:
“Facebook will knowingly break its Certificate Pinning mechanism for its users that use white hat settings. Pinning is used to improve the security of a website that uses SSL. Pinning allows websites to allow or disallow a user by searching for a specific cryptographic identity. SSL Certificate Pinning techniques are often used to defend against sniffing attacks.”
If you think you have what it takes, or if you are just curious, you can enable the White Hat researcher settings by going to the following URL:
According to Naked Security:
“Nearly all Facebook-owned apps make it as hard as they can to stop tricks such as Man in the Middle (MITM) attacks, which could allow rogues in your local coffee shop to spy on you, but this also makes it tough for ethical hackers and security researchers to intercept and analyze network traffic to find server-side security vulnerabilities. That’s why Facebook decided to help them out by giving them Researcher Settings so they can dial back their connection security and pretend that it’s still 2009.”
You can also activate these settings on your mobile devices as well, by going into Facebook’s main app. Unfortunately, if you are looking to enable these settings on the Facebook Messenger app or Instagram, that option is only available for Android at this time.
Just look under “settings and privacy” for the White Hat option.
Paul Ducklin of Naked Security says that this function even allows people to spy on themselves to see how things work under the hood.
“Facebook is helping security researchers have their cake and eat it, too. By default, you’re protected against other people sniffing out your network traffic, which stops them seeing what data you’re sending to Facebook. But now you can carefully snoop on yourself when you need to, so you can see how Facebook is sending your data. That’s good for security, privacy, and transparency,” Ducklin says.
Facebook White Hat settings reportedly have a built-in proxy that can be used for API interactions. Facebook White Hat settings also have a feature that can disable TLS 1.3 support.
Once White Hat researcher settings are enabled, you will notice a White Hat Settings button in each of the applications that you selected.
— Arif Khan (@payloadartist) March 23, 2019
According to a statement from Facebook:
To protect over two billion people using Facebook products, our mobile apps implement security mechanisms such as Certificate Pinning. These mechanisms are designed to raise the barrier of entry for an attacker seeking to break the integrity and confidentiality of the traffic sent from the client (user device) to the server (Facebook’s infrastructure). These measures enhance the security of the data in transit, but they also make it harder for our Whitehat researchers to test our mobile apps for server-side security vulnerabilities as was highlighted by our Whitehat survey. Today we are pleased to announce that we heard the feedback and implemented a means for security researchers to analyze network traffic on Facebook, Messenger and Instagram Android applications on their own accounts for bug bounty purposes. We advise turning these settings off while not testing our website for security vulnerabilities.
Facebook was also in the news this week with a massive data breach, in which user passwords were compromised.
Another statement from the company said, “As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues, and as a precaution, we will be notifying everyone whose passwords we have found were stored in this way. To be clear, these passwords were never visible to anyone outside of Facebook, and we have found no evidence to date that anyone internally abused or improperly accessed them.”
If you have any other questions, consult the Facebook Help Page.