clock menu more-arrow no yes

Filed under:

Facebook dodges potential 'peeping Tom' webcam exploit thanks to bug hunters

New, 17 comments
Facebook Password lock
Facebook Password lock

It appears that Facebook has dodged a somewhat serious security mishap that would have allowed hackers to remotely and secretly activate user webcams and post the recorded video to their profiles. According to Bloomberg, a pair of researchers at XY Security discovered this bug in July and submitted it to Facebook, who paid the pair $2,500 in cash for their efforts — that's five times the typical going rate Facebook offers for bugs users submit, an admission that the bug was particularly serious. A Facebook spokesperson told Bloomberg that it found no users were affected when it closed the hole, but it's still a potentially serious flaw the company must be glad it fixed before things got ugly. "This vulnerability, like many others we provide a bounty for, was only theoretical, and we have seen no evidence that it has been exploited in the wild," Facebook spokesperson Fred Wolens wrote to Bloomberg in an e-mail.

Facebook may have dodged a bullet

This is hardly the first "peeping Tom" exploit out there, but one on the gigantic Facebook platform could have been a black eye for a company trying to reverse its struggling position in the stock market. Given the negative attention that apps like Snapchat and Poke have received recently for not being as secure with their videos as they claim, it seems like video privacy will continue to be a hot security topic for the foreseeable future. That said, Facebook insists the process to access user webcams was quite a difficult one. "Essentially, several things would need to go wrong — a user would need to be tricked into visiting a malicious page and clicking to activate their camera, and then after some time period, tricked into clicking again to stop / publish the video," Wolens wrote. Regardless of the difficulty level, the crushing of this exploit is a good example of the value of various "bug bounty" programs that companies like Facebook, Mozilla, and Google take advantage of.