Meta wants you to find fault with the new virtual reality headset

When a new technology emerges, cybercriminals and fraudsters are interested in it almost immediately to see what it can do for them.

Smartphones and the Internet of Things, to name a few, are increasingly part of our way of life – and all of these technologies are targets for malicious hackers looking to steal passwords, personal information, banking details and more.

As the metaverse and virtual reality emerge as a new way to live, work and play online, these platforms will quickly become targets for cybercriminals looking to find and exploit vulnerabilities in hardware and software, or perhaps use the technology to served their tricks.

Today, Facebook owner Meta, which invests large sums in its metaverse building projects, wants to get ahead of hackers by asking security researchers to identify vulnerabilities and problems in metaverse-related products such as Meta Quest, Meta Quest Pro and Meta Quest Touch Pro. . Rewards for finding vulnerabilities can run into the hundreds of thousands of dollars.

Familiarize yourself with the equipment

Facebook has had a bug bounty program for its web apps since 2011, but while metaverse is a key pillar of Meta’s business strategy, the company is still relatively new to hardware development.

By encouraging cybersecurity experts to “hack” the metaverse, the company seeks to improve the security of its products for everyone.

“One of our priorities is to further integrate the external research community with us in our journey to secure the metaverse. As this is a relatively new space for many, we are working to make the technology more accessible to bug hunters and help them submit valuable reports faster,” says Neta Oren, Chief of Security Analysts and the Meta bug bounty program.

Part of the strategy behind this work is to educate security researchers and ethical hackers about Meta’s VR headset, which was accomplished with Meta BountyCon, a bug-focused security conference that allows bug hunters to familiarize themselves with the products. .

Various rewards

Meta updated its bug bounty terms to highlight that its latest products, the Meta Quest Pro and Meta Quest Touch Pro controllers, are eligible for the bug bounty program and added new payment guidelines for virtual reality technology , including bugs specific to Meta Quest Pro.

And for those who discover security flaws in Meta’s virtual reality and metaverse technology, financial rewards can reach hundreds of thousands of dollars.

of payment rules detail how payouts for discovering mobile remote code execution bugs — vulnerabilities that could allow an attacker to run malware or take control of a device — can reach $300,000, while researchers who discover account-taking vulnerabilities up to $130,000 can be awarded.

The financial rewards are high because Meta wants to incentivize hackers who may never have seen the company’s virtual reality offerings. We want to help researchers prioritize their efforts and focus on some of the most important areas of our platform, says Neta Oren.

The bug bounty system has already discovered some previously unknown vulnerabilities.

Bugs already fixed

A disclosure submitted at BountyCon revealed a problem in Meta Quest’s oAuth flow — an open standard used to allow websites or applications to access user information on other websites — that could have allowed a attacker to take control of a user’s access token and account with just two clicks.

“We have remedied this issue and our investigation found no evidence of abuse. We award this report a total amount of $44,250, which reflects the impact of the vulnerability,” says Neta Oren.

Another researcher was awarded $27,200 after discovering a vulnerability that could have allowed an attacker to bypass the SMS-based 2FA system by exploiting a rate-limiting issue to force the verification code required to confirm a phone number someone. The vulnerability was also fixed after it was discovered.

These vulnerabilities might not have been discovered – at least not so quickly – without the bug bounty system, which Meta wants to continue to develop.

“We welcome any input from the external community in order to have as many eyes on the code as possible, to continue testing our products and make them more secure,” says Neta Oren.

Virtuous Research Community

The metaverse bug bounty program follows in the footsteps of other existing Meta programs, some of which have been in place for a decade. The company also has a number of information security teams to ensure that metaverse and other Meta platforms are as secure as possible against cyber threats.

These include product security reviews, a threat modeling team, a team of attackers conducting penetration tests against the company, and more, which are added to the bug removal program. Meta combines all of these efforts to ensure that every product released is as secure against as many threats as possible.

“These are all things that we have learned over the years and that we apply when we build new products, so the new products already include all these measures”, explains Neta Oren.

After new vulnerabilities that are discovered have been investigated and mitigated, security updates are deployed to the products. To ensure that security updates that fix vulnerabilities are applied, Meta’s VR products automatically check for updates at startup and then apply them.

“We share these mistakes publicly so that everyone in the industry can learn from them. It’s common that as soon as a big company publishes these things, other companies look internally for something similar,” says Neta Oren. And since outside searchers aren’t limited to Meta products, if they find something on the Meta Quest Pro or another Meta device, they’re also likely looking at similar products built by others.

“We know that our researchers don’t just follow Meta. So, if they find a defect in us, they can go get it from our competitors and report it to them too,” says Neta Oren. “That’s why we think education is so important, because researchers, whatever they learn with us, they’ll apply to other companies as they hunt,” she adds.


Leave a Comment