<p>A security researcher who unearthed a major Instagram hole has got into trouble with Facebook that accused him of unethical behaviour.<br /><br /></p>.<p>Wesley Wineberg, a well-known bug hunter, was checking the vulnerability of an exposed Amazon server when he found a hole that could allow hackers to run code remotely, and submitted a ticket to the bug bounty team, Engadget.com reported.<br /><br />After confirming the bug, he decided to dig a bit deeper, and then things took an ugly turn. He managed to crack some weak employee passwords, and submitted another report. Using that info, he obtained a key that allowed him to access server files.<br /><br />To demonstrate the extent of the vulnerability, he downloaded several "buckets" of non-user data from Instagram's Amazon servers. The data, he discovered, gave him access to source code and secret authentication codes.<br /><br />"To say that I had gained access to basically all of Instagram's secret key material would probably be a fair statement," he wrote in a blog post. Having paid Wineberg $2,500 for discovering the earlier bug, Facebook was, this time around, far from grateful.<br /><br />It declined to pay him for the later bug submissions, saying he had violated the terms of its bug bounty programme.<br /><br />In a Facebook post, CSO Alex Stamos wrote: "Intentional exfiltration of data is not authorized by our bug bounty programme, is not useful in understanding and addressing the core issue, and was not ethical behaviour by Wes."<br /><br />Stamos was also reported as telling Synack's CEO -- Wineberg's employer -- that "we could not allow Wes to set a precedent that anybody can exfiltrate unnecessary amounts of data and call it a part of legitimate bug research".</p>
<p>A security researcher who unearthed a major Instagram hole has got into trouble with Facebook that accused him of unethical behaviour.<br /><br /></p>.<p>Wesley Wineberg, a well-known bug hunter, was checking the vulnerability of an exposed Amazon server when he found a hole that could allow hackers to run code remotely, and submitted a ticket to the bug bounty team, Engadget.com reported.<br /><br />After confirming the bug, he decided to dig a bit deeper, and then things took an ugly turn. He managed to crack some weak employee passwords, and submitted another report. Using that info, he obtained a key that allowed him to access server files.<br /><br />To demonstrate the extent of the vulnerability, he downloaded several "buckets" of non-user data from Instagram's Amazon servers. The data, he discovered, gave him access to source code and secret authentication codes.<br /><br />"To say that I had gained access to basically all of Instagram's secret key material would probably be a fair statement," he wrote in a blog post. Having paid Wineberg $2,500 for discovering the earlier bug, Facebook was, this time around, far from grateful.<br /><br />It declined to pay him for the later bug submissions, saying he had violated the terms of its bug bounty programme.<br /><br />In a Facebook post, CSO Alex Stamos wrote: "Intentional exfiltration of data is not authorized by our bug bounty programme, is not useful in understanding and addressing the core issue, and was not ethical behaviour by Wes."<br /><br />Stamos was also reported as telling Synack's CEO -- Wineberg's employer -- that "we could not allow Wes to set a precedent that anybody can exfiltrate unnecessary amounts of data and call it a part of legitimate bug research".</p>