By his count, Nir Goldshlager has hacked Facebook more than 100 times. The 27-year-old Israeli researcher has found all sorts of ways to gain unauthorized accessto Facebook accounts. He even titled one recent blog post: “How I Hacked Any Facebook Account…Again!”
But the team at Facebook is not upset with Goldshlager for exposing its mistakes. Quite the opposite: they pay him for it.
Two years ago, Facebook unveiled its “bug bounty program,” which pays independent researchers to report security flaws in the social-networking site. The idea is to encourage the good guys (known as “white hat” hackers) to find and report bugs so that Facebook can fix them before the bad guys (“black hat” hackers) exploit them for malicious purposes, like identity theft.
Since 2011, no one has reported more bugs to Facebook than Goldshlager. He’s spent countless hours wandering Facebook’s virtual hallways, checking every knob until he finds an unlocked door. He credits his work with his unique ability to think differently than software developers.
“I know what the developers forgot to check,” he told The Huffington Post. “This is how my mind works all the time.”
Facebook is one of just a few tech companies — including Google and PayPal — that pay researchers to report security flaws. Facebook pays a minimum of $500 for valuable information, so long as the hacker is the first to report the bug and agrees not to disclose it until after the company has fixed it. Goldshlager also participates in bug bounty programs with Google and PayPal, but he has focused on Facebook’s program because the company pays more.
To get paid, Goldshlager must also adhere to Facebook’s disclosure policy, which says researchers must make “a good faith effort” to avoid privacy violations, destruction of data and interrupting the site’s service during research — to keep from being sued by Facebook or investigated by law enforcement.
Goldshlager declined to say how much money he has made from Facebook’s bug bounty program. (“Let’s just say a good amount,” he said). The company does not publicly disclose its payment rates for each bug, but during the first week of the program, Facebook paid a single bug bounty of more than $3,000.
On his blog, Goldshlager posts videos demonstrating how he could take over Facebook accounts by exploting flaws with the site’s password reset function, or holes in Skype and Dropbox, or bugs in Mozilla’s Firefox browser. It takes him about five hours, on average, to find a Facebook bug, he said.
He writes about his research in detail, revealing how he occasionally runs into security walls (“I was thwarted yet again.”), before finding ways around them. He concludes many posts with two words: “Game Over.”
But for Facebook’s most prolific bug bounty hunter, it is not just about the money or the small measure of fame he receives in the security world. It’s also about keeping himself safe online.
“I use Facebook every day,” Goldshlager said. “For my own interest, I want to make it more secure.”
Facebook spokesman Fred Wolens said the company envisioned a hacker like Goldshlager when it launched the bug bounty program.
“We are glad that there are people in the community, like Nir Goldshlager, who participate in these programs and contribute to everyone’s security,” he said in a statement. “Additionally, we appreciate the attention Nir has generated for the program and encourage even more people to test our services.”
Facebook isn’t the only appreciator of Goldshlager’s work. He finds what are called “zero day” security flaws — vulnerabilities that have never been found before, valuable because they can’t be spotted by anti-virus software.
Goldshlager knows he could sell his findings for more than what Facebook pays. Some zero days are worth hundreds of thousands of dollars on the black market,according to Slate, and Goldshlager said he has received requests from foreign governments offering to buy information on the vulnerabilities he’s found. But he has never accepted them.
“There are a lot of people who contact me and ask me to sell them Facebook vulnerabilities all the time,” he said. “But I don’t believe in the black market. I want to sleep good at night. I don’t want to get my hands dirty for a few more thousand dollars.”
Recently, Goldshlager said he would retire from bug bounty programs to focus on building his new company, Break Security, which specializes in what is called penetration testing, or hacking companies’ websites to show their security weaknesses. For his services, he charges a rate of $200 per hour.
But he said he still plans to poke and prod Facebook for bugs and to write about his findings on his blog. He has also found a new target: Instagram, the photo-sharing service that was acquired by Facebook last year.
Next week, Goldshlager plans to blog about how he found a flaw in Instagram that allows an attacker to compromise user accounts. He said the flaw has since been fixed.
“It was a nice one,” he said. “I’m quite proud of it.”