Meta wants you to find the flaws in their new virtual reality headset

When a new technology emerges, cybercriminals and fraudsters are almost immediately interested to see what it can do for them.

Smartphones and the Internet of Things to name a few are increasingly part of our lifestyles – and all of these technologies are targets for malicious hackers looking to steal passwords, personal information, bank details and more.

As the metaverse and virtual reality emerge as a new way to live, work and relax online, these platforms will quickly become targets for cybercriminals, eager to find and exploit vulnerabilities in hardware and software, or perhaps use technology to profit their fraud.

Today, Facebook owner Meta, which invests huge sums in its metaverse building projects, wants to get ahead of hackers by asking security researchers to identify vulnerabilities and problems in metaverse-related products, such as Meta Quest, Meta Quest Pro and Meta Quest Touch Pro. Rewards for bug findings can run into the hundreds of thousands of dollars.

Become familiar with the equipment

Facebook has had a bug bounty program in place for its web apps since 2011, but while the metaverse is a central pillar of Meta’s business strategy, the company is still relatively new to hardware development.

By encouraging cybersecurity experts to hack into the metaverse, the company seeks to improve product security for everyone.

“One of our priorities is to further integrate the external research environment with us on our journey to secure the metaverse. Since this is a relatively new space for many, we are working to make the technology more accessible to bug hunters and help them submit valid reports faster,” says Neta Oren, Head of Security Analysts and responsible for the bug bounty program at Meta.

Part of the strategy behind this work is to make Meta’s virtual reality headset known to security researchers and hackers, which was done with Meta BountyCon, a bug bounty-focused security conference that allows bug hunters to get hands-on with the products.

Varied rewards

Meta updated its bug bounty terms to highlight that its latest products, the Meta Quest Pro and Meta Quest Touch Pro controllers, are eligible for the bug bounty program, and added new payment guidelines for virtual reality technology, including bugs, that are specific to Meta Quest Pro.

And for those who discover security flaws in Meta’s virtual reality and metaverse technology, the financial rewards can run into the hundreds of thousands of dollars.

The payment rules describe how payments to discover mobile remote code execution flaws – vulnerabilities that could allow an attacker to execute malware or take control of a device – can reach $300,000, while researchers who uncover account takeover vulnerabilities can be awarded up to $130,000.

The financial rewards are high because Meta wants to motivate hackers who may never have looked at the company’s virtual reality offerings. “We want to help researchers prioritize their efforts and focus on some of the most important areas of our platform,” says Neta Oren.

The bug bounty system has already revealed several previously unknown vulnerabilities.

The bugs have already been fixed

A disclosure submitted to BountyCon revealed a problem in Meta Quest’s oAuth flow — an open standard used to allow websites or applications to access user information on other websites — that could have allowed an attacker to take control of a user’s access token and account, with just two clicks.

“We have fixed this issue and our investigation found no evidence of abuse. We awarded this report a total amount of $44,250, which reflects the impact of the vulnerability,” says Neta Oren.

Another researcher was awarded $27,200 after discovering a vulnerability that could have allowed an attacker to bypass the SMS-based 2FA system by exploiting a rate-limiting issue to force a verification code required to verify someone’s phone number. The vulnerability was also patched after it was disclosed.

These vulnerabilities might not have been discovered – at least not as quickly – without the bug bounty system that Meta wants to continue developing.

“We welcome any input from the external community to have as many eyes on the code as possible, to continue testing our products and to make them more secure,” says Neta Oren.

Virtuous research community

The Metaverse bug bounty program follows in the footsteps of other existing Meta programs, some of which have been in place for a decade. The company also has a number of information security teams to ensure that metaverse and other Meta platforms are as secure as possible from cyber threats.

These include product security reviews, a threat modeling team, a team of attackers who conduct penetration tests against the company, and more, which are added to the bug squashing program. Meta combines all of these efforts to ensure that every product released is as secure as possible against as many threats as possible.

“These are all the things we have learned over the years and which we apply when we build new products, so the new products already contain all these initiatives,” explains Neta Oren.

When new vulnerabilities that are discovered have been investigated and remedied, security updates are implemented for the products. To ensure that security updates that address vulnerabilities are applied, Meta’s VR products automatically check for updates at launch and apply them thereafter.

“We share these mistakes publicly so that everyone in the industry can learn from them. It is common that when a large company first publishes this, other companies internally look for something similar,” says Neta Oren. And since external searchers are not limited to Meta products, if they find something in Meta Quest Pro or another Meta device, they will likely also look at similar products built by others.

“We know that our researchers are not only hunting Meta. So if they find an error with us, they can pick it up from our competitors and report it to them as well,” says Neta Oren. “That’s why we think training is so important, because researchers, whatever they learn with us, they will implement for other companies as they hunt,” she adds.


Leave a Comment