Facebook has introduced a new feature in its platform that has been designed to make it easier for bug bounty hunters to find security flaws in Facebook, Messenger, and Instagram Android applications.
Since almost all Facebook-owned apps by default use security mechanisms such as Certificate Pinning to ensure integrity and confidentiality of the traffic, it makes it harder for white hat hackers and security researchers to intercept and analyse network traffic to find server-side security vulnerabilities.
For those unaware, Certificate Pinning is a security mechanism designed to prevent users of an application from being a victim of network-based attacks by automatically rejecting the whole connection from sites that offer bogus SSL certificates.
Dubbed “Whitehat Settings,” the new option now lets researchers easily bypass Certificate Pinning on the Facebook-owned mobile apps by:
- Disabling Facebook’s TLS 1.3 support
- Enabling proxy for Platform API requests
- Using user-installed certificates
“Choose not to use TLS 1.3 to allow you to work with proxies such as Burp or Charles which currently only support up to TLS 1.2,” Facebook says.
images from Hacker News