Recently, Facebook organised a Whitehat survey, where the researchers revealed that Facebook security controls, though good for the app, make it harder for bug bounty hunters to test the mobile apps for server-side security vulnerabilities.

To fix that, Facebook has announced a new settings option in its apps.

Facebook has added a new ‘Whitehat Settings’ option in the Facebook, Messenger and Instagram Android apps (not available on iOS clients yet), which will allow security researchers to bypass Facebook’s Certificate Pinning security mechanism.

As Facebook explains, Certificate Pinning mechanisms are “designed to raise the barrier of entry for an attacker, seeking to break the integrity and confidentiality of the traffic sent from the client (user device) to the server (Facebook’s infrastructure).”

The Whitehat Settings can be enabled by visiting the Facebook settings page. You can also find additional details and video tutorials on the website’s support page.

You can find the feature under Facebook’s Settings > Settings & Privacy > Whitehat Settings. For Messenger and Instagram too, this feature will be listed in the Settings menu of the respective apps.

Once you enable the feature, you will see that it comes with its own settings, such as a built-in proxy for Facebook Platform API interactions, the ability to disable Facebook’s TLS 1.3 support and the option to use user-installed certificates for easier traffic interception.

Do note, Facebook recommends that security researchers turn the Whitehat Settings off as soon as they are done testing the vulnerabilities, as the feature can potentially weaken an account’s overall security posture.

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

error: Unauthorized Content Copy Is Not Allowed
Scroll to Top
%d bloggers like this: