Facebook has tapped into the power of crowdsourcing to make the site a safer place and reward researchers willing to help it out to that end.
The social network shelled out more than $1 million over the past couple years to 329 people in 51 countries who reported security problems with the site. The youngest was 13 years old. A couple of those researchers went on to work for the tech giant’s security branch.
The Bug Bounty program was launched in 2011 to reward people who report issues to the site and make it a safer place to hang out online, Facebook Security Engineer Collin Greene says in a note posted to the site’s security blog:
So far the program has been even more successful than we’d anticipated. We’ve paid out more than $1 million in bounties, and have collaborated with researchers from all around the world to stamp out bugs in our products and in our infrastructure.
In November, Facebook started to convert its default browsing from unsecured HTTP to secured HTTPS (Hypertext Transfer Protocol Secure). The company announced in a blog post that it has now finished the job of using HTTPS for all Facebook users.
This makes for a secure connection between users and Facebook. When Facebook first started enabling HTTPS, the company found that roughly 1/3 of users opted in. Since November, Facebook worked to make the HTTPS connection faster and more efficient. THe company said Wednesday that all desktop users and 80 percent of traffic through m.facebook.com happen through a secured connection. Native apps have also been using HTTPS.
A recent bug on Facebook exposed the phone numbers and email addresses of roughly 6 million users, the site reported late Friday on its blog. Facebook claims that they have no evidence that the bug was exploited maliciously, and has since been fixed. Affected users have been notified via email, and Facebook has notified regulators in the U.S., Canada and Europe.
Someone tipped off Facebook’s White Hat Program to the problem, and Facebook worked quickly to fix it.
Facebook described what happened:
Describing what caused the bug can get pretty technical, but we want to explain how it happened. When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. For example, we don’t want to recommend that people invite contacts to join Facebook if those contacts are already on Facebook; instead, we want to recommend that they invite those contacts to be their friends on Facebook.
Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.
Readers: Were you affected by the bug?
Image courtesy of Shutterstock.
Facebook users have made it clear that they want more control over their privacy. The company’s investors said that repeatedly during Facebook’s first shareholders meeting, and the latest Android mobile app update shows that the site is working on more ways to get privacy controls in the users’ hands.
From the Android app, Facebook users can now change the privacy settings on any of their prior posts.
Previously, users could only control who sees posts they’re about to make from their Android app, but now people can go back to any post they’ve made and tweak the privacy settings.
A new scam going around Facebook recently begins with a message to page owners about a new “Fan Page Verification Program.” From there, users are prompted to share their Facebook email and password, which is part of a phishing scam.
Similar to another scam that targeted page admins in the past, the message purports to be from Facebook Security and is designed to trick users into sharing their Facebook login information. This latest scam, detailed by Hoax-Slayer, tells page owners that they qualify for a new security feature and must choose a 10-digit security code by May 30, otherwise their page could be suspended. The message includes a link to a site with form fields for their page URL, email address, password and a “transferring code” of their choice.
Page owners should beware of phishing attempts like these, remembering to never enter their Facebook password anywhere outside of Facebook.com and being careful about sharing any information in third-party apps and page tabs.
Facebook today announced “Trusted Contacts,” an update to its “Trusted Friends” security feature that sends access codes to a few of a user’s close friends in order to help the person regain access to their account when needed.
Users will now be able to designate their Trusted Contacts in advance and change them if necessary through the Security Settings dashboard. Previously, users only encountered this feature when they were having trouble with their account. This meant that many users were unfamiliar with it. By making Trusted Contacts part of a user’s main settings, more people might understand what it is before they have a problem — or before they are called upon as a Trusted Contact themselves. This will help users be able to use the feature more effectively.
Facebook says it has also improved the flow for people who are their friend’s Trusted Contacts, giving them more information throughout the process of helping someone get back into the account. They’ll also be notified when they are selected, another way to help people understand the feature in advance. Some users are often wary of unfamiliar Facebook features, suspecting they might be part of a scam. We’ve heard from users who didn’t initially trust Facebook’s Offers or Gifts products because they thought they were third-party spam. Something like Trusted Friends with access codes to let another user log into their account might have seemed too suspicious to some. The changes today could help avoid that.
Some Facebook users have fallen victim to a new phishing scam, which takes over a user’s Facebook account, Liking pages and posting links on their behalf, according to PC World.
The scam reportedly begins with an email that prompts users to download a new “business” version of Adobe Flash Player. Users who click on the spam link are taken to the Chrome Web Store to download a browser extension. After users download the extension, the malware will check to see if a user is logged into Facebook, and if so, it will use a script to control the account.
Facebook today detailed a malware attack that occurred last month, but which has been remediated and reportedly did not result in any user data being compromised.
Facebook says the attack originated when some employees visited a mobile developer website that had been compromised and led malware to be installed on the employees’ laptops. After the company’s security team identified the malicious file, it flagged other infected laptops and removed the malware. Facebook says it informed law enforcement and is continuing an investigation along with others who were attacked. The company did not name other companies who were infiltrated this way, but it says it was not alone.
Facebook says it has “found no evidence” that user data was compromised. According to Ars Technica, which spoke to Facebook Chief Security Officer Joe Sullivan, the attackers gained “some limited visibility” into Facebook’s production systems as well as some corporate data, email and software code from the laptops themselves, but this did not lead to any extraction of user information.
Facebook added 27 new positions to its careers page this week, including a number of openings on the security, engineering, finance, marketing and sales teams.
The company added a listings for a security program manager, a security operations center manager and a safety and security engineer.
Other noteworthy jobs include a vertical client partner focused on fast-moving consumer goods, a manager of ecosystem measurement and a presentation designer for the business marketing team.
New listings added to Facebook’s careers page:
- Safety and Security Engineer (New York)
- Finance Manager (São Paulo)
- FP&A, Sr. Financial Analyst – G&A (Menlo Park)
- IT Field Manager – APAC (Singapore)
- Legal Compliance Operations Specialist (Menlo Park)
- Manager, Global Law Enforcement Response Team (Menlo Park)
- Executive Protection Specialist (Menlo Park)
- Security Operations Center Manager (Menlo Park)
- Security Program Manager (Menlo Park)
- Software Engineer, Internal Tools (Menlo Park)
- HR Specialist, APAC (Singapore)
- Business Recruiter (Menlo Park)
- Recruitment Coordinator (1 year fixed term contract) (Dublin)
- Recruiter (Tokyo)
- Technical Program Manager, Network Engineering (Menlo Park)
- Manager, Marketing Communications Industry Relations (Contract) (Singapore)
- Presentation Designer, Business Marketing (Menlo Park)
- SMB Associate, Marketing Communications (Menlo Park)
- Small and Medium Business Growth Associate – Spanish Speaker (São Paulo)
- Small Business Analyst (Sao Paulo) (São Paulo)
- Vertical Client Partner – FMCG (London) (London)
- Account Manager Brazil (São Paulo)
- Account Manager Brazil (São Paulo)
- Client Partner e-commerce, Japan (Singapore) (Singapore – Tokyo)
- Client Partner e-commerce, Korea (Singapore) (Seoul – Singapore)
- Client Partner (Toronto)
- Manager, Ecosystem Measurement (Menlo Park)
Who else is hiring? The Inside Network Job Board presents a survey of current openings at leading companies in the industry.
Some users see option to message Zuckerberg for $100 - As part of Facebook’s paid message test, some users are seeing an option to send a message to CEO Mark Zuckerberg’s inbox for $100. When Facebook began the paid message test, the company said it would charge $1 to have messages rerouted from a user’s Other folder to the main inbox, but that it would also try higher price points for public figures and celebrities. As for the $100-price tag for Zuckerberg, Facebook told Mashable, “We are testing some extreme price points to see what works to filter spam.” Image via Mashable.
Facebook issues grants to local nonprofits – Facebook has given $200,000 in grants to 42 nonprofits in Menlo Park and East Palo Alto, according to the Mercury News. The donations are part of a deal with the city of Menlo Park that gives Facebook permission to expand its headquarters there. The grants range from $2,500 to $5,000 and support causes including youth programs, food distribution, small business aid and clothes for homeless kids.
Facebook solves password security flaw – Facebook has fixed an issue that would have allowed someone to change a user’s password without the user’s knowledge, according to researcher Sow Ching Shiong who discovered the security flaw. Previously, someone could visit Facebook.com/hacked on a logged in account and reset the password without being asked for the original password. Since the discovery, Facebook asks users to verify their password before proceeding.
Facebook customer satisfaction worse than any other social network - Facebook scored the lowest out of any social networks in the latest American Customer Satisfaction Index ratings. Facebook’s score of 61 put it last among social networks and third worst of all companies in the index. Facebook’s score is tied with that of cable and internet provider Comcast. Google+ and Wikipedia came in first among social networks with a score of 78. The ACSI ratings are based on customer surveys.