Facebook rolls out 'Whitehat Settings' to let bug bounty hunters test server-side issues

Recently, Facebook organised a Whitehat survey, where the researchers revealed that Facebook security controls, though good for the app, make it harder for bug bounty hunters to test the mobile apps for server-side security vulnerabilities. To fix that, Facebook has announced a new settings option in its apps. Facebook has added a new ‘Whitehat Settings’ option in the Facebook, Messenger and Instagram Android apps (not available on iOS clients yet), which will allow security researchers to bypass Facebook’s Certificate Pinning security mechanism. [caption id=“attachment_6332561” align=“alignnone” width=“1280”]  Representational Image.[/caption] As Facebook explains, Certificate Pinning mechanisms are “designed to raise the barrier of entry for an attacker, seeking to break the integrity and confidentiality of the traffic sent from the client (user device) to the server (Facebook’s infrastructure).” The Whitehat Settings can be enabled by visiting the Facebook settings page. You can also find additional details and video tutorials on the website’s support page. You can find the feature under Facebook’s Settings > Settings & Privacy > Whitehat Settings. For Messenger and Instagram too, this feature will be listed in the Settings menu of the respective apps. [caption id=“attachment_6343291” align=“alignnone” width=“1280”]  The ‘Whitehat Settings’ option is available on Facebook, Messenger, and Instagram Android apps. Image: Facebook[/caption] Once you enable the feature, you will see that it comes with its own settings, such as a built-in proxy for Facebook Platform API interactions, the ability to disable Facebook’s TLS 1.3 support and the option to use user-installed certificates for easier traffic interception. Do note, Facebook recommends that security researchers turn the Whitehat Settings off as soon as they are done testing the vulnerabilities, as the feature can potentially weaken an account’s overall security posture.