A Harvard student with a Facebook internship doesn’t seem very unusual, but it’s a little more interesting when he takes the company to task and then gets fired.
Aran Khanna published a Chrome extension in May called the “Marauder’s Map” that exploited a known loophole in Facebook Messenger’s geolocation service to track friends—and, even weirder, friends of friends—and plot them on a map. The location accuracy was within about 3 feet. He wrote in a Medium post on May 26:
You may not believe that there are enough of these location tagged messages to provide truly invasive data on any one person, since they must be on mobile, with GPS on, and choose to share their location for it to be sent… right?
What you should keep in mind is that the mobile app for Facebook Messenger defaults to sending a location with all messages.
Khanna explained that he wanted to publish the extension so people could understand the potential implications of the geolocation sharing and make an informed choice about whether they were OK with leaving it enabled.
Facebook was not pleased. Boston.com reports that first the company asked Khanna not to talk to the press about his project, then it told him to remove the extension. He did both, but finally Facebook told him that he’d lost his internship. Nine days after Khanna published his Medium post, the company pushed an update for Messenger that closed the location sharing loophole.
Facebook said in an email statement that it had started working on the Messenger update months before. It added, “this mapping tool scraped Facebook data in a way that violated our terms, and those terms exist to protect people’s privacy and safety.” Khanna noted to Boston.com that the data his extension pulled was from users’ own messages, meaning it was data they already had full access to whether or not they used his tool. Khanna ended up getting an internship at a different startup for the summer.
“People who make things and people who break things are not natural allies.” Josephine Wolff wrote that on Slate Thursday after the security lead at software maker Oracle published a blog post Monday condeming people for discovering and sharing bugs in Oracle’s products. Even when companies offer bug bounty programs, the reaction when someone exposes a problematic vulnerability is notoriously unpredictable. The Oracle rant, which has since been taken down, was a particularly, um, candid look at how threatened many companies feel when outsiders find problems with their code. But by going on the defensive rather than embracing scrutiny, companies miss the opportunity to get skilled hackers on their sides.
“We don’t dismiss employees for exposing privacy flaws, but we do take it seriously when someone misuses user data and puts people at risk,” Facebook said. Like really really seriously.
Update, August 13, 6:10 PM: Facebook notes that it has an active bug bounty program that, for example, just awarded $100,000 this week to researchers at Georgia Tech who discovered vulnerabilities in C++ programs.*
In the case of Messenger for Android geolocation, Facebook added the functionality in 2011. Since then numerous sites have published explainers on how to turn off the auto-on tracking, suspecting that Facebook users might not be aware that it was adjustable or even happening.
*Correction, August 14: The August 13 update to this post misstated the amount of money that Facebook’s bug bounty program awarded to researchers at George Tech. It was $100,000.