We hope you found this article interesting, enough to read to the bottom. Help us publish more in 2022.

Thanks for coming by The Tyee and reading one of many original articles we’ll post today. Our team works hard to publish in-depth stories on topics that matter on a daily basis. Our motto is: No junk. Just good journalism.

Just as we care about the quality of our reporting, we care about making our stories accessible to all who want to read them and provide a pleasant reading experience. No intrusive ads to distract you. No paywall locking you out of an article you want to read. No clickbait to trick you into reading a sensational article.

There’s a reason why our site is unique and why we don’t have to rely on those tactics — our Tyee Builders program. Tyee Builders are readers who chip in a bit of money each month (or one-time) to our editorial budget. This amazing program allows us to pay our writers fairly, keep our focus on quality over quantity of articles, and provide a pleasant reading experience for those who visit our site.

In the past two years, we’ve been able to double our staff team and boost our reporting. We invest all of the revenue we receive into producing more and better journalism. We want to keep growing, but we need your support to do it.

We’re on a mission to add 650 new monthly supporters to our ranks to help us have another year of impactful journalism – will you join us?

If you appreciate what The Tyee publishes and want to help us do more, please sign up to be a Tyee Builder today. You pick the amount, and you can cancel any time.

Help us hit our year-end target of 650 new monthly supporters and join Tyee Builders today.
We’re looking for 650 new monthly supporters to fund our newsroom – are you one of them?

Small independent news media are having a moment – we’re gaining supporters, winning awards, and publishing more impactful journalism than ever. We’re starting to see glimmers of a hopeful future for independent journalism in Canada.

The Tyee works for our readers, because we are funded by you. We don’t lock our articles behind a paywall, and we focus all of our energy into publishing original, in-depth journalism that you won’t read anywhere else. It’s our full-time job because readers pay us to do it.

Over the last two years, we’ve been able to double our staff team and publish more than ever. We’re gearing up for another year and we need to know how much we are working with. Thousands of Tyee readers have signed up to support our independent newsroom through our Tyee Builders program, and we’re inviting you to join.

From now until Dec. 31, we’re aiming to bring aboard 650 new monthly supporters to The Tyee to help us do even more in 2022.

If you appreciate what The Tyee publishes and want to help us do more, please sign up to be a Tyee Builder today. You pick the amount, and you can cancel any time.

Help us hit our year-end target of 650 new monthly supporters and join Tyee Builders today.
We value: Our readers.
Our independence. Our region.
The power of real journalism.
We're reader supported.
Get our newsletter free.
Help pay for our reporting.
Labour + Industry
Science + Tech

My Brief Career as a Facebook Bug Bounty Hunter

You, too, can poke holes in the social media giant's platform while giving up yet even more of your personal information.

By Bryan Carney 12 Apr 2018 | TheTyee.ca

Bryan Carney is director of web production at The Tyee.

Two weeks ago, I told Facebook about a vulnerability that allowed apps to gather data on the Facebook friends of someone who downloads a quiz or game - the same kind of tactic used to collect information on millions of people for Cambridge Analytica.

In fact, I informed them about three vulnerabilities and got a "bug bounty" from Facebook for one of them. It's part of the social media company's program allowing independent coders or well-meaning hackers to help find weaknesses in Facebook's software that could be exploited by malicious hackers.

But there is a very Facebookesque requirement before someone can collect a reward from them: yet more of your personal information. And it is difficult to know if bugs submitted were recognized through your efforts as a bug bounty hunter or if they were fixed by Facebook independently of the submission you made — you are required to trust a company that's under intense public scrutiny, including this week before the U.S. Congress.

Facebook's "white hat" program is designed to encourage coders who find vulnerabilities to turn them in and earn cash rather than sell them to say, media strategist and former White House staffer Steve Bannon, who is not ordinarily portrayed in white or hats.

The bug bounty style of program has worked so well for companies like Apple, for instance, that it's almost impossible to "jailbreak" - basically install software unapproved by Apple to the devices - the most recent iPhones. Hackers who find a flaw that enables such software hacks often opt to hand it in and take the reward from Apple instead of releasing it to the public, where they might get street cred and perhaps some less legitimate revenue.

The principle behind it is analogous to the catch-and-kill method used by Donald Trump buddy David Pecker at The National Enquirer's parent company (he's also a Postmedia board member) to shut down negative press about the president: pay the highest fee and take the vulnerability out of circulation.

Given its current situation, Facebook would probably avoid anything like another Cambridge Analytica just now. So it has a strong incentive to pay out a bug claim submitted by a white hat hacker.

Facebook offered me a reward for the smaller flaw it acknowledged - a modest sum though well above the company's minimum prize of $500 US. I was given three options to receive the payment.

One was PayPal, where I pictured handing over a percentage of the bounty to company founder Elon Musk (though he sold PayPal 16 years ago) and waiting years to spend it all on eBay.

Another was through wire transfer, which sounded like something for a James Bond villain but was neither instant nor online-friendly.

And then there was cryptocurrency - or BitCoin, specifically, which has much more contemporary elite criminal associations.

The Bitcoin option is particularly amenable to "white hat" programs because it should theoretically offer a bounty claimant some anonymity - one of the major reasons to use crypto funds. A hacker might prefer not to attract attention to their skills, for instance, which may blow their cover and methods in other investigations.

But this is still Facebook. Elite hacker or not, if you want to be paid in untraceable bit-based currency (whose value changes along with entire fortunes each time a well-known crypto-bro tweets their dreams about the future), you're going to have to shell out all that Facebook has ever wanted from you: your personal information.

Facebook referred me to third-party code-for-cash system provider Bugcrowd. And Bugcrowd let me know I wasn't getting a single "bit" of my coin without filling out a W-8BEN tax form with my full legal and verifiable name, phone and address. The Bugcrowd rep did at least briefly break character in an email and acknowledge the irony so that I would get on with it, which I did.

On top of this, if you want to submit a bug, the first thing you'll be asked is to sign in with your Facebook login. Not a tough one to work around with a fake new Facebook account, but you can probably safely bet your account will get a mild perusal by somebody with a little more power on the platform than a survey or game app.

By the next morning, I was assured I would have whatever the sum's equivalency in Bitcoin was now trading at, sitting in a digital wallet so that I could spend my days agonizing over what point in the roller coaster to cash it in.

I awoke to the news I had already lost a good chunk of value from the tail end of a six per cent drop from the day before.

My own fault for choosing the volatile currency.

Meanwhile, Facebook said the largest vulnerability I submitted did not need fixing. But it turns out that same vulnerability was hastily fixed 11 days after I wrote about it for The Tyee.

Facebook's fix was done using a "breaking changes " release, meaning the sudden change would break any apps that relied on the functionality, causing headaches for app developers and Facebook.

This suggests Facebook either strategically denied the vulnerability in their response to me while it made plans to fix it or it failed to see the significance at the time of reporting and later made the change independently of my reporting it to them.

By contrast, when Facebook changed the original friends list that enabled Cambridge Analytica's app to amass a database, it gave the app developers a year to change their code during which it could still use the lists.

"We addressed one issue based on the report, however the other issue reported could only collect public content, which is not in scope for a reward," said a Facebook spokesperson.

The vulnerability I identified is this: until April 4, apps could officially still get the names and profile pictures of your "taggable friends" (usually nearly all of them because few Facebook users turn this option off) without the friend's consent. The app owners could use your friend's name and images to collect public data on them and tie to what they already know about you.

The company said it did not have the numbers when asked how many apps had the ability to get "taggable friends" when it suddenly closed the ability. I also asked how many users the apps had and how many taggable friends these users had.

Facebook recently revealed that "malicious actors" used public search tools with no special permissions or access to fetch information about users. These actors used email or phone numbers obtained through identity theft or other leaks as a starting point to target large lists of individuals using the search tool, which enabled the stolen identities to be linked to their public Facebook profiles.

The vulnerability The Tyee presented was the same, except it relied on the friends list Facebook itself was still providing as a starting point, instead of an external list of names.

The search tool that the Tyee pointed out seems to have been shut down completely now though Facebook said it "should now be changed to be consistent with the other endpoints" on the platform.

Facebook did not offer an explanation for this additional change.

Until April 4, Facebook was still allowing apps to collect the names of users' friends without their consent. Further data on them was then better collected outside the app itself and perhaps from many different computers, making it difficult if not impossible to detect.

Until this scrutiny, these systems were all designed not to restrict but to facilitate data collection. Because of this, there may still more than a few bucks to be made by even unsophisticated coders who want to poke a few holes in Facebook's various systems and find and report vulnerabilities.

That's as long as the coders trust Facebook will acknowledge any new flaws handed over and don't mind having a few more data points created in the company's files about them.  [Tyee]

Share this article

The Tyee is supported by readers like you

Join us and grow independent media in Canada

Facts matter. Get The Tyee's in-depth journalism delivered to your inbox for free

Tyee Commenting Guidelines

Do not:

  •  Use sexist, classist, racist or homophobic language
  • Libel or defame
  • Bully, threaten, name-call or troll
  • Troll patrol. Instead, downvote, or flag suspect activity
  • Attempt to guess other commenters’ real-life identities


  • Verify facts, debunk rumours
  • Add context and background
  • Spot typos and logical fallacies
  • Highlight reporting blind spots
  • Ignore trolls and flag violations
  • Treat all with respect and curiosity
  • Stay on topic
  • Connect with each other


The Barometer

Tyee Poll: Are You Preparing for the Next Climate Disaster?

Take this week's poll