+

Cookies on the Business Insider India website

Business Insider India has updated its Privacy and Cookie policy. We use cookies to ensure that we give you the better experience on our website. If you continue without changing your settings, we\'ll assume that you are happy to receive all cookies on the Business Insider India website. However, you can change your cookie setting at any time by clicking on our Cookie Policy at any time. You can also see our Privacy Policy.

Close
HomeQuizzoneWhatsappShare Flash Reads
 

A security researcher says Facebook tried to get him fired because he discovered a bug in Instagram

Dec 18, 2015, 17:00 IST

Win McNamee/Getty Images
Win McNamee/Getty ImagesFacebook CSO Alex Stamos

A web security researcher has accused Facebook of trying to threaten and intimidate him after he discovered a vulnerability in the software behind Instagram, and reported it to the company. Facebook rewards people for reporting security flaws to it, as part of its bug bounty program. Payments for new bugs start at $2,500.

Advertisement

Facebook chief security officer Alex Stamos, however, says the researcher tried to hold the company up for more money and behaved in a "not ethical" manner by using the bug to download data.

The researcher, Wes Wineberg wrote a long blog post explaining the saga. "To say that I had gained access to basically all of Instagram's secret key material would probably be a fair statement," said Wineberg. "With the keys I obtained, I could now easily impersonate Instagram, or impersonate any valid user or staff member."

He reported it to Facebook, but heard nothing back. Later, Wineberg got a call from his boss and the CEO of the company he does contract work for, Synack.

According to Wineberg, Facebook's Stamos had gone directly to his employer to allege improper behaviour after he found the Instagram bug. "Alex then stated that he did not want to have to get Facebook's legal team involved, but that he wasn't sure if this was something he needed to go to law enforcement over." Wineberg describes Facebook's actions as [ensuring] "that my findings could be effectively covered up."

Advertisement

Stamos, in a post on Facebook, refutes every one of Wineberg's claims. He did not, as Wineberg claims, threaten to get him fired but said his "behavior reflected poorly on him and on Synack."

(It's worth noting that Wineberg is a contractor for Synack, not a full-time employee. He also says he contacted Facebook through a person email, not his work email, implying that it was Stamos who made the connection to Synack.)

Facebook has previously been receptive to those who find bugs in its products and report them to the company. An undiscovered bug can fall into the wrong hands and be used for any number of reasons, many of them bad.

"Despite all efforts to follow Facebook's rules, I was now being threatened with legal and criminal charges," wrote Wineberg. "If the company I worked for was not as understanding of security research I could have easily lost my job over this."

For his part, Stamos describes Wineberg's investigation of the bug as "going well above and beyond what is necessary" which resulted in the call to his employer. He denies threatening legal action.

Advertisement

Wineberg told Threatpost, a blog about softwear security, that he had deleted all of the data he found.

Business Insider has reached out to Facebook to ask about the claims. We will update the post when we hear back.

NOW WATCH: Mark Cuban explains why downloading Snapchat is a huge mistake

Please enable Javascript to watch this video
You are subscribed to notifications!
Looks like you've blocked notifications!
Next Article