It’s a good thing Facebook offers money to so-called “bug bounty hunters” to discover weaknesses in its own defenses. The holes these security experts discover are often startling, like the one researchers recently uncovered that exposed Facebook to a cyberattack method first used in 1998.
Facebook paid out a bounty to a trio of security researchers for discovering the flaw, which exploited a weakness in widely-used website encryption protocols. Despite being 19 years old, the researchers found that almost one-third of the top 100 domains on the web are still vulnerable to it. The bug would’ve effectively allowed hackers to intercept any information that passed from Facebook to its users — including passwords.
“If this attack works then essentially anything you think you are sending securely to Facebook, isn’t [secure],” said Alan Woodward, a professor at the University of Surrey’s Department of Computing. “[The] attack isn’t new, so it is surprising that it is reappearing, especially on such high profile systems.”
For its part, Facebook expressed gratitude to the researchers for discovering the problem, and said that it has since been fixed. The company also said it was “not aware” of any abuses of the vulnerability, though it’s been around for so long, it’s hard to be certain of that.