When a new technology appears, cybercriminals and fraudsters take an interest in it almost immediately to see what it can do for them.
Smartphones and the Internet of Things, to name a few, are increasingly part of our way of life – and all of these technologies are targets of malicious hackers looking to steal passwords, personal information , bank details, and more.
As the metaverse and virtual reality emerge as a new way to live, work and play online, these platforms will quickly become targets for cybercriminals looking to find and exploit vulnerabilities in hardware and software, or perhaps to use technology to serve their scams.
Today, Facebook owner Meta, which invests huge sums in its metaverse building projects, wants to get ahead of hackers by asking security researchers to identify vulnerabilities and problems in metaverse-related products, such as Meta Quest, Meta Quest Pro and Meta Quest Touch Pro. The rewards for finding vulnerabilities could run into the hundreds of thousands of dollars.
Become familiar with the equipment
Facebook has had a bug bounty program in place for its web apps since 2011, but while the metaverse is a key pillar of Meta’s business strategy, the company is still relatively new to hardware development.
By encouraging cybersecurity experts to “hack” the metaverse, the company seeks to improve the security of its products for everyone.
“One of our priorities is to further integrate the external research community with us on our journey to secure the metaverse. As this is a relatively new space for many, we are working to make the technology more accessible to bug hunters and help them submit valid reports faster,” says Neta Oren, Head of Security Analysts and of the bug bounty program at Meta.
Part of the strategy behind this work is to educate security researchers and ethical hackers about Meta’s VR headsets, which was done with Meta BountyCon, a bug bounty-focused security conference. which allows bug hunters to familiarize themselves with the products.
Varied rewards
Meta updated its bug bounty terms to highlight that its latest products, Meta Quest Pro and Meta Quest Touch Pro controllers, are eligible for the bug bounty program, and added new payment guidelines for virtual reality technologies , including bugs specific to Meta Quest Pro.
And for those who discover security flaws in Meta’s virtual reality and metaverse technology, the financial rewards can run into the hundreds of thousands of dollars.
The payment rules detail how payments for discovering mobile remote code execution flaws — vulnerabilities that could allow an attacker to execute malware or take control of a device — could reach $300,000, while researchers who uncover account takeover vulnerabilities could be rewarded up to $130,000.
The financial rewards are high because Meta wants to nurture ethical hackers who may never have looked at the company’s virtual reality offerings. “We want to help researchers prioritize their efforts and focus on some of the most important areas of our platform,” Neta Oren points out.
The bug bounty system has already disclosed several previously unknown vulnerabilities.
Flaws already fixed
A disclosure submitted to BountyCon revealed an issue in Meta Quest’s oAuth flow — an open standard used to allow websites or apps to access user information on other websites — that could have allowed a attacker to take control of a user’s access token and account with just two clicks.
“We have corrected this issue, and our investigation found no evidence of abuse. We rewarded this report with a total amount of $44,250, which reflects the impact of the vulnerability,” says Neta Oren.
Another researcher was awarded $27,200 after discovering a vulnerability that could have allowed an attacker to bypass the SMS-based 2FA system by exploiting a rate-limiting issue to force verification code required to confirm phone number of somebody. The vulnerability was also patched after it was disclosed.
These vulnerabilities might not have been discovered – at least not so quickly – without the bug bounty system, which Meta wants to continue developing.
“We welcome any input from the external community in order to have as many eyes on the code as possible, to continue testing our products and to make them more secure,” notes Neta Oren.
Virtuous research community
The metaverse bug bounty program follows in the footsteps of other existing Meta programs, some of which have been in place for a decade. The company also has a series of information security teams to ensure that the metaverse and other Meta platforms are as secure as possible against cyber threats.
These include product security reviews, a threat modeling team, a team of attackers performing penetration tests against the company, and more, which s add to the bug squashing program. Meta combines all of these efforts to ensure that any product released is as secure as possible against as many threats as possible.
“These are all the things that we have learned over the years and that we apply when we build new products, so the new products already incorporate all these measures,” Neta Oren clarifies.
Once new vulnerabilities, which are disclosed, have been investigated and mitigated, security updates are deployed to products. To ensure that security updates that fix vulnerabilities are applied, Meta’s VR products automatically check for updates on launch and then apply them.
“We are sharing these vulnerabilities publicly so that everyone in the industry can learn from them. It’s common that once a big company publishes this stuff, other companies look internally for something similar,” says Neta Oren. And since external searchers aren’t limited to Meta products, if they find something in the Meta Quest Pro or another Meta device, they’re also likely to look at similar products built by others.
“We know that our researchers don’t just hunt on Meta. So if they find a flaw with us, they can look for it with our competitors and report it to them as well,” says Neta Oren. “That’s why we think education is so important, because researchers, whatever they learn with us, they’ll implement for other companies when they’re chasing bugs,” he adds. she.
Source: ZDNet.com