Facebook’s Whitehat Settings lets bug-hunters dial back app security

What if the security controls added by Facebook to make it harder for snoopers and ne’er-do-wells to attack the company’s servers…

…makes things harder for researchers who are trying to hunt for bugs legitimately?

That’s what’s been happening, bug hunters have told Facebook via its Whitehat survey.

Nearly all Facebook-owned apps make it as hard as they can to stop tricks such as Man-in-the-Middle (MiTM) attacks, which could allow rogues in your local coffee shop to spy on you, but this also makes it tough for ethical hackers and security researchers to intercept and analyze network traffic to find server-side security vulnerabilities.

That’s why Facebook decided to help them out by giving them Researcher Settings so they can dial back their connection security and pretend that it’s still 2009.

Facebook’s Whitehat Settings

Facebook’s Bug Bounty program announced on Friday that it’s implemented what it’s calling Whitehat Settings.

These “backed off” connection settings will help security researchers analyze network traffic on Facebook, Messenger and Instagram Android applications – on their own accounts, that is.

In other words, these less secure settings don’t affect other people using Facebook, and don’t let researchers spy on traffic that isn’t theirs to start with.

The new settings allow researchers to run Facebook’s mobile apps in “watch what happens” mode by:

  • Disabling Facebook’s TLS 1.3 support.
  • Enabling proxying for Platform API requests.
  • Using user-installed security certificates.

Facebook recommends that in order to ensure that the settings show up in each mobile app, researchers need to sign out from each mobile app, close it, then re-open the app and sign in again.

The sign in process will fetch the new configuration and setting updates you have just made. You only need to do this once, or whenever you make changes to these settings.

Keep in mind that these settings reduce the security available for apps. That’s why the social media platform advises researchers to turn off the settings when they’re not bug-hunting:

For the security of your account, we advise turning these settings off when not testing our platform to find Whitehat bug bounty vulnerabilities.

One security researcher, at least, thinks the Whitehat settings are a “cool idea”:

Naked Security’s own Paul Ducklin put it like this:

Facebook is helping security researchers have their cake and eat it, too. By default, you’re protected against other people sniffing out your network traffic, which stops them seeing what data you’re sending to Facebook. But now you can carefully snoop on yourself when you need to, so you can see how Facebook is sending your data. That’s good for security, privacy and transparency.

How to put on your Whitehat

Facebook’s new Whitehat settings aren’t visible by default. Rather, bug hunters have to explicitly turn them on, which you can do here.

You can also get setup instructions, including video tutorials, on this help page.