New Settings Let Hackers Easily Pentest Facebook, Instagram Mobile Apps

Facebook has introduced a new feature in its platform that has
been designed to make it easier for bug bounty hunters to find
security flaws in Facebook, Messenger, and Instagram Android
applications.

Since almost all Facebook-owned apps by default use security
mechanisms such as Certificate Pinning to ensure integrity and
confidentiality of the traffic, it makes it harder for white hat
hackers and security researchers to intercept and analyze network
traffic to find server-side security vulnerabilities.

For those unaware, Certificate Pinning is a security mechanism
designed to prevent users of an application from being a victim of
network-based attacks by automatically rejecting the whole
connection from sites that offer bogus SSL certificates.

Dubbed “Whitehat Settings,” the new option now lets
researchers easily bypass Certificate Pinning on the Facebook-owned
mobile apps by:

• Disabling Facebook’s TLS 1.3 support
• Enabling proxy for Platform API requests
• Using user-installed certificates

“Choose not to use TLS 1.3 to allow you to work with proxies such
as Burp or Charles which currently only support up to TLS 1.2,”
Facebook says.

Whitehat
Settings^[1] is not visible to
everyone by default. Instead, researchers have to explicitly
enable this
feature^[2] for their Android apps
from a web interface on the Facebook website, as shown.

Once enabled, you’ll see a banner at the top of your app (Facebook,
Messenger, or Instagram) indicating that the network testing is
enabled and your traffic may be monitored.

If you want to test the Instagram app for security
vulnerabilities using the newly-launched Whitehat Settings, you are
first advised to link your Instagram app with your Facebook
app.

It should be noted that Whitehat Settings are not meant for
everyone to use, as it reduces the security for Facebook apps
installed on your device.

How do you feel about this new setting? Let us know in the comment
box below.