Facebook will pay you to find security holes in third-party apps

It's the company's first "bug bounty" for security flaws on third-party apps running on Facebook

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read
James Martin/CNET

If you use Facebook to log into your favorite services, it should come as no surprise that you're sharing some of your Facebook data with a third-party app or website. That's the point. 

So the company wants members to feel safe using Facebook to connect to services that include everything from AirBNB and Yelp to FarmVille and Candy Crush. 

On Monday, Facebook announced an update to its bug bounty program designed to help prevent user information from leaking through security flaws in third-party apps. The program will now pay for reports of third-party services that might expose the bits of information that Facebook uses to identify you as you. That information is known as user tokens. 

Facebook declined to say how many third-party apps run on its platform. Only apps that allow give you the option to "log in with Facebook" are affected by the changes announced Monday.

The program is another way that Facebook is attempting to show users it's trying to keep their data safe after a privacy scandal enveloped the company in March. The company's troubles began when the Guardian and New York Times revealed that a researcher had collected the data of 87 million users with a third-party app and then improperly shared it with political consultancy Cambridge Analytica.

The new program covers apps and websites that are leaking user information through cybersecurity flaws rather than by selling them.

"If exposed, a token can potentially be misused," said Dan Gurfinkel, security engineering manager at Facebook, in a blog post published Monday. "We want researchers to have a clear channel to report these important issues, and we want to do our part to protect people's information, even if the source of a bug is not in our direct control."

Facebook users can control the kinds of data third-party services can access with their settings. That means an exposed user token could reveal a lot about you, depending on what you've let a particular app or website access, Gurfinkel said.

The program is an update to Facebook's overall bug bounty program, and will pay at least $500 per app or website found to be exposing user tokens. The company created a separate bug bounty in April that offers rewards for finding third-party services that are abusing Facebook user data.