Meta wants you to find the flaws in its new VR headsets

When a new technology appears, cybercriminals and scammers take an interest in it almost immediately to see what it can do for them.

Smartphones and the Internet of Things, to name a few, are increasingly part of our way of life and all these technologies are targets of malicious hackers looking to steal passwords, personal information, bank details and much more.

As the metaverse and virtual reality emerge as a new way to live, work and relax online, these platforms will quickly become targets for cybercriminals, eager to find and exploit vulnerabilities in hardware and software or perhaps to exploit the technology to serve their scams.

Today, Facebook owner Meta, which invests large sums in its metaverse-building projects, wants to get ahead of hackers by asking security researchers to identify vulnerabilities and problems in metaverse-related products, such as Meta Quest, Meta Quest Pro, and Meta Quest TouchPro. Rewards for bug discoveries can run into hundreds of thousands of dollars.

Familiarize yourself with the equipment

Facebook has had a bug bounty program in place for its web apps since 2011, but while the metaverse is a key pillar of Meta’s business strategy, the company is still relatively new to hardware development.

By encouraging cybersecurity experts to penetrate the metaverse, the company seeks to improve product security for everyone.

“One of our priorities is to further integrate the outside research community with us in our journey to secure the metaverse. Because this is a relatively new space for many, we’re working to make the technology more accessible to bug hunters and help them submit good reports faster,” says Neta Oren, Head of Security Analysts and head of Meta’s bug bounty program.

Part of the strategy behind this work is to make Meta’s virtual reality headsets known to security researchers and hackers, which it has done with Meta BountyCon, a security conference focused on bug bounties, which allows hunters to bug to familiarize yourself with the products.

Various rewards

Meta has updated its bug bounty terms to highlight that its latest products, the Meta Quest Pro and Meta Quest Touch Pro controllers, are eligible for the bug bounty program and has added new payment guidelines for VR technology, including specific bugs for Meta Quest Pro.

And for those who discover security flaws in Meta’s virtual reality and metaverse technology, the financial rewards can run into the hundreds of thousands of dollars.

The payment rules detail how payments for discovering mobile remote code execution bugs — vulnerabilities that could allow an attacker to run malware or take control of a device — could reach $300,000, while researchers who They discover account takeover vulnerabilities could be rewarded up to $130,000.

The financial rewards are high because Meta wants to incentivize hackers who may have never looked at the company’s VR offerings. “We want to help researchers prioritize their efforts and focus on some of the most important areas of our platform,” says Neta Oren.

The bug bounty system has already revealed several previously unknown vulnerabilities.

Defects already fixed

A disclosure sent to BountyCon revealed an issue in Meta Quest’s oAuth flow — an open standard used to allow websites or applications to access user information on other websites — that could have allowed an attacker to take over the control a user’s account and access token, with just two clicks.

“We have corrected this issue and our investigation has found no evidence of abuse. We have awarded this report a total amount of $44,250, which reflects the impact of the vulnerability,” says Neta Oren.

Another researcher received $27,200 after discovering a vulnerability that could have allowed an attacker to bypass SMS-based 2FA by exploiting a rate-limiting issue to crack the verification code required to confirm someone’s phone number . The vulnerability was also patched after it was disclosed.

These vulnerabilities may not have been discovered, at least not as quickly, without the bug bounty system, which Meta wants to continue developing.

“We welcome any input from the outside community to get as many eyes on the code as possible, to continue testing our products, and to make them more secure,” says Neta Oren.

Virtuous research community

The metaverse bug bounty program follows in the footsteps of other existing Meta programs, some of which have been around for a decade. The company also has a number of information security teams to ensure that the metaverse and other Meta platforms are as secure as possible against cyber threats.

These include product security reviews, a threat modeling team, an attacker team performing penetration tests against the company, and more, all of which add to the bug squashing program. Meta combines all of these efforts to ensure that any product released is as secure as possible against as many threats as possible.

“These are all things that we’ve learned over the years and that we apply when we build new products, so the new products already incorporate all of these measures,” Neta Oren clarifies.

Once new vulnerabilities, which are disclosed, have been investigated and mitigated, security updates are rolled out to products. To ensure that security updates that fix vulnerabilities are applied, Meta’s VR products automatically check for updates on startup and then apply them.

“We share these bugs publicly so everyone in the industry can learn from them. It’s common that once a large company publishes these things, other companies look for something similar internally,” says Neta Oren. And because external researchers aren’t limited to Meta products, if they find something in Meta Quest Pro or another device Meta, they are also likely to look at similar products created by others.

“We know our researchers don’t just hunt on Meta. So if they find a bug with us, they can go get it from our competitors and report it to them too,” says Neta Oren. “That’s why we think education is so important, because researchers, whatever they learn with us, they will implement for other companies as they hunt,” he adds. .


Leave a Comment