Recently, Facebook has introduced a brand new feature in its platform that is meant to make it real easy for the bug bounty hunters to detect the security flaws in the Facebook, Insatagram and as well as the Messenger Android applications. As the matter of fact that all the apps owned by Facebook uses security mechanisms by default as the Certificate Pinning that ensures integrity and the confidentiality of the traffic, it makes it difficult for the white hat hackers and the security researchers to stop and analyze the network traffic to find out the server side security vulnerabilities. Certificate Pinning is a security mechanism that is designed to prevent the users of an application from getting victimized of the network based attacks by auto-rejecting the whole connection from the websites that offer inappropriate SSL certificates.
The dubbed “Whitehat Settings” offered as the new option in the Facebook’s platform allow the researchers to easily bypass the Certificate Pinning on the mobile apps owned by Facebook by:
- Using the user-installed certificates
- Enabling the proxy for the Facebook API requests
- Disabling the TLS 1.3 support of Facebook
The Whitehat Settings is not visible to everyone by default but the researchers have to enable this feature explicitly for their android apps from a web interface on the website of the Facebook. As soon as it will be enabled, the individual will be able to see a banner at the top of their app (Facebook, Instagram and Messenger) indicating the enable of the network testing while the traffic will be monitored. In case you want to test the Instagram app for the security vulnerabilities utilizing the newly launched Whitehat Settings, you have to first link your Instagram account to your Facebook account.