Facebook has rolled out a new setting in its platform that would enable the bug bounty hunters to easily perform whitehat security research.
The new option which has been named as “Whitehat Settings,” introduces a mechanism by which security researchers can bypass Facebook’s Certificate Pinning security mechanism.
Certificate Pinning protects traffic originating from Facebook mobile apps against sniffing operations. Facebook states that when security researchers turn on the “Whitehat Settings” option, Facebook will intentionally break its Certificate Pinning mechanism for that account. This makes its easier for the researcher to intercept, sniff, and analyze the traffic that originates from within.
The “Whitehat Settings” option was implemented due to the demand of security researchers who found it difficult to bypass the Certificate Pinning security measure.
The “Whitehat Settings” option can be enabled on Facebook’s main app, Facebook Messenger and also the Instagram app. It supports only Android apps and not the iOS ones.
When this feature is enabled, it has its own settings like
- Built-in proxy for Facebook Platform API interactions,
- Disable Facebook’s TLS 1.3 support,
- Use user-installed certificates for easier traffic interception.
Those who wish to enable the “Whitehat Settings” feature, do visit the Facebook settings page, and the additional details and video tutorials are available on this support page.
It is recommended that the security researchers must disable this feature as soon as they stop testing for vulnerabilities because this weakens an account’s overall security posture.
Facebook always showed a friendly attitude to the Infosec community, has its own bug bounty program, provide huge payouts and often open-source security tools.