Facebook dodges potential 'peeping Tom' webcam exploit thanks to bug hunters

Facebook Password lock

It appears that Facebook has dodged a somewhat serious security mishap that would have allowed hackers to remotely and secretly activate user webcams and post the recorded video to their profiles. According to Bloomberg, a pair of researchers at XY Security discovered this bug in July and submitted it to Facebook, who paid the pair $2,500 in cash for their efforts — that's five times the typical going rate Facebook offers for bugs users submit, an admission that the bug was particularly serious. A Facebook spokesperson told Bloomberg that it found no users were affected when it closed the hole, but it's still a potentially serious flaw the company must be glad it fixed before things got ugly. "This vulnerability, like many others we provide a bounty for, was only theoretical, and we have seen no evidence that it has been exploited in the wild," Facebook spokesperson Fred Wolens wrote to Bloomberg in an e-mail.

Facebook may have dodged a bullet

This is hardly the first "peeping Tom" exploit out there, but one on the gigantic Facebook platform could have been a black eye for a company trying to reverse its struggling position in the stock market. Given the negative attention that apps like Snapchat and Poke have received recently for not being as secure with their videos as they claim, it seems like video privacy will continue to be a hot security topic for the foreseeable future. That said, Facebook insists the process to access user webcams was quite a difficult one. "Essentially, several things would need to go wrong — a user would need to be tricked into visiting a malicious page and clicking to activate their camera, and then after some time period, tricked into clicking again to stop / publish the video," Wolens wrote. Regardless of the difficulty level, the crushing of this exploit is a good example of the value of various "bug bounty" programs that companies like Facebook, Mozilla, and Google take advantage of.

The Verge
Log In Sign Up

Log In Sign Up

Please choose a new Verge username and password

As part of the new Verge launch, prior users will need to choose a permanent username, along with a new password.

Your username will be used to login to Verge going forward.

I already have a Vox Media account!

Verify Vox Media account

Please login to your Vox Media account. This account will be linked to your previously existing Eater account.

Please choose a new Verge username and password

As part of the new Verge launch, prior MT authors will need to choose a new username and password.

Your username will be used to login to Verge going forward.

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

By becoming a registered user, you are also agreeing to our Terms and confirming that you have read our Privacy Policy.



Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.