Facebook’s Whitehat Settings lets bug-hunters dial again app safety

What if the security controls added by Facebook to make it harder for snoopers and ne’er-do-wells to attack the company’s servers…

…makes things harder for researchers who are trying to hunt for bugs legitimately?

That’s what’s been happening, bug hunters have told Facebook via its Whitehat survey.

Nearly all Facebook-owned apps make it as hard as they can to stop tricks such as Man-in-the-Middle (MiTM) attacks, which could allow rogues in your local coffee shop to spy on you, but this also makes it tough for ethical hackers and security researchers to intercept and analyze network traffic to find server-side security vulnerabilities.

That’s why Facebook decided to help them out by giving them Researcher Settings so they can dial back their connection security and pretend that it’s still 2009.

Facebook’s Whitehat Settings

Facebook’s Bug Bounty program announced on Friday that it’s implemented what it’s calling Whitehat Settings.

These “backed off” connection settings will help security researchers analyze network traffic on Facebook, Messenger and Instagram Android applications – on their own accounts, that is.

In other words, these less secure settings don’t affect other people using Facebook, and don’t let researchers spy on traffic that isn’t theirs to start with.

The new settings allow researchers to run Facebook’s mobile apps in “watch what happens” mode by:

• Disabling Facebook’s TLS 1.3 support.
• Enabling proxying for Platform API requests.
• Using user-installed security certificates.