CNET también está disponible en español.

Ir a español

Don't show this again

TikTok barred from US starting Sunday Apple's best iOS 14 features Second stimulus check payment schedule iPhone 12 release prediction Super Mario 3D All-Stars review The best VPN service of 2020 Apple Watch Series 6
James Martin/CNET

Facebook will pay you to find security holes in third-party apps

It's the company's first "bug bounty" for security flaws on third-party apps running on Facebook

Screen shot of Facebook's bug bounty page

Facebook's bug bounty page, where as of Monday you can report third party apps that leak user tokens.


If you use Facebook to log into your favorite services, it should come as no surprise that you're sharing some of your Facebook data with a third-party app or website. That's the point. 

So the company wants members to feel safe using Facebook to connect to services that include everything from AirBNB and Yelp to FarmVille and Candy Crush. 

On Monday, Facebook announced an update to its bug bounty program designed to help prevent user information from leaking through security flaws in third-party apps. The program will now pay for reports of third-party services that might expose the bits of information that Facebook uses to identify you as you. That information is known as user tokens. 

Facebook declined to say how many third-party apps run on its platform. Only apps that allow give you the option to "log in with Facebook" are affected by the changes announced Monday.

The program is another way that Facebook is attempting to show users it's trying to keep their data safe after a privacy scandal enveloped the company in March. The company's troubles began when the Guardian and New York Times revealed that a researcher had collected the data of 87 million users with a third-party app and then improperly shared it with political consultancy Cambridge Analytica.

The new program covers apps and websites that are leaking user information through cybersecurity flaws rather than by selling them.

"If exposed, a token can potentially be misused," said Dan Gurfinkel, security engineering manager at Facebook, in a blog post published Monday. "We want researchers to have a clear channel to report these important issues, and we want to do our part to protect people's information, even if the source of a bug is not in our direct control."

Facebook users can control the kinds of data third-party services can access with their settings. That means an exposed user token could reveal a lot about you, depending on what you've let a particular app or website access, Gurfinkel said.

The program is an update to Facebook's overall bug bounty program, and will pay at least $500 per app or website found to be exposing user tokens. The company created a separate bug bounty in April that offers rewards for finding third-party services that are abusing Facebook user data.