Discovered by Natalie Silvanovich of Google's Project Zero bug hunting team , the vulnerability, which is now patched, could have been exploited on Messenger for Android if an attacker simultaneously called a target and sent them a specially crafted, invisible message to trigger the attack.
Facebook and Twitter also collaborated with Google and Apple on remediation efforts, and the Indiana University researchers won an additional bug bounty award from Google for their findings.
Last year, the company began paying bounties for certain bugs researchers might find in third-party services that integrate with Facebook.“Reports submitted to us thanks to security researchers allow us to learn from their insights," says Dan Gurfinkel, who heads Facebook's bug bounty program.
Security News This Week: A Teen Won't Tell Apple How He Hacked MacOS Giulia Marchi/Getty Images It's frankly hard, at the end of this long week, to devote much mental energy to any news that's not Jeff Bezos going to war with the National Enquirer , but stay with us!
Facebook wanted to make it clear that researchers shouldn't breach user data in the process of finding problems, but they should submit more nuanced types of data misuse reports whenever it was possible to document these complex interactions safely.Striking this balance is more challenging than it may initially seem, according to Alex Rice, CTO of the bug bounty development organization HackerOne. Rice consulted on Facebook's bug bounty when it launched in 2011, and says he was impressed to see it expand to accept privacy and third-party reports this year.