Instagram Hack highlights need for greater security researcher responsibility
The Safety in Pictures
Facebook-owned Instagram is, like all other tech companies, known for employing security researchers to determine whether or not loopholes and vulnerabilities exist in their websites and services. While security researchers are often paid for their findings and research, they also have a responsibility to be cautious with the information they uncover and to adhere to certain moral standards as determined by the company that hires them for the work. The reason behind the boundaries of security researchers is simple: since they are professional hackers and have unlimited access to the information they retrieve, they cannot just have unfiltered access and maintain information about a hack that they choose not to reveal for days, weeks, or months. The reason for this is simple: tech companies do not want to look careless in the minds of their customers with their personal data.
It goes without saying then, that Synack contractor Wesley Wineberg has some explaining to do for his role in the Instagram hack. Wineberg was hired by Facebook to find security bugs and report them. He participated in Facebook’s Bug Bounty Program and discovered a vulnerability that he immediately reported to Facebook. The bug he discovered pertained to an Instagram server that would allow hackers to run any command they desired on the server.
After the initial discovery, however, Wineberg decided to do even further security snooping and infiltrated a number of employee accounts using common passwords that he was shocked to discover were being used. Although he reported the first Instagram bug in the Instagram hack, the security researcher went even further and discovered even more vulnerabilities by which he was able to access Facebook employee accounts and passwords. Instead of reporting the weak employee passwords immediately as he had done with the initial Instagram hack, Wineberg withheld this information from Facebook for an entire 5 weeks. He discovered the employee password vulnerabilities on October 24th but didn’t report them to Facebook until December 1st. Facebook, as a result, contacted Synack to make them aware of what the company considered to be a hacking event. Wineberg wasn’t fired from Synack, but Facebook did it as more of a power play than anything else.
Is the Instagram hack something worth talking about?
Some may seem to think it isn’t worth the time of day in discussion, but I disagree. It’s an issue worth talking about because the Instagram hack concerns the responsibility of security researchers when they discover bugs, loopholes, or weak passwords (as in this case). Wesley Wineberg acted responsibly in reporting the first vulnerability to Facebook; why then, did he withhold the information he discovered in the second Instagram hack for 5 weeks? At that point, he became the equivalent of a hacker who was simply trying to invade the Instagram server for malevolent purposes.
What took Wineberg 5 weeks? Did he need to invade that many Instagram accounts in order to confirm or validate his suspicions about weak passwords and usernames and the possibility of a malevolent hack attack? He didn’t need that long, and his decision to report the first Instagram hack but not the second shows that he is culpable, morally responsible for his decision to withhold the information from Facebook for over a month. Even if his intentions were sincere and good, his 5-week holdoff still creates suspicion, which is more than enough to have him be found guilty of an ethical breach of conduct.
Could the Instagram hack aftermath have been prevented?
The short answer to this question is “yes.” After all, Wineberg needed only to inform Facebook of his findings and inquire as to whether or not they wanted him to continue his security research. Unfortunately, he did not inform Facebook/Instagram, but continued his research certain that no one else would inform the company as to the new vulnerability he had discovered. This makes him guilty of cybercrime.
Wineberg’s company did not fire him, but his decision to withhold security information for 5 weeks makes him guilty of whatever cybercrimes were committed on employee and user data in that time period. His actions are similar to a hacker who chooses to infiltrate a database on a server for weeks before it becomes known to the server in question. His decision to maintain access over this secret knowledge puts his work as a security researcher in serious question, and, should his company keep him on as a contractor, he has a black mark that may prevent him from future work with Facebook and other major tech companies. Once a person gets this kind of morally questionable black mark on his or her record, it’s hard to remove the stain.
As always, take security in your own hands and get yourself a good VPN.