Security researcher at Facebook accused of unethical practices, got almost fired for finding bug in Instagram

Security researcher, Wesley Wineberg, who uncovered a major Instagram hole, faced accusations from Facebook Inc. for going beyond his ethical standards.

Wesley Wineberg was hired for accessing the server of Instagram and reporting possible bugs. Earlier, he was associated with other companies in their bug bounty programs. Wineberg discovered a web-accessible administrative console having bugs that could probably allow hackers to mess up with Instagram.

Facebook awarded the researcher with $2,500 on his first diagnosis. According to Alex Stamos, the Chief security officer of Facebook, Wineberg did everything as per the regulations and boundaries of this bug bounty program.

Some rules included hindering or interrupting the server, destruction of data and avoiding privacy violations. His next step was to search some more security holes after discovering the initial vulnerability in the server.

Later, an access to the database was found; wherein he could download usernames as well as use some password-cracking program for entering the accounts. He realized that some passwords were very weak and had generic words such as ‘Instagram‘, ‘Changeme’ and ‘Password’, while some had the usernames itself.

He found a lot of sensitive content, although the majority of it was archives of web applications and tools. The researcher stated that respecting the policies of bug bounty program of Facebook, he didn’t download user data and avoided accessing Instagram source codes.

However, this exploration was taken quite seriously, and Facebook accused Wineberg of using unethical practices and crossing the boundaries of the company.

A spokesperson of Facebook claimed that the researcher should have maintained trust and shouldn’t have taken advantage by accessing private information.

He further explained that Wineberg withheld information as well as bugs intentionally and violated the guidelines by pulling in non-user and private data from internal systems. Facebook has threatened Wineberg of suing him.