Facebook New Settings

Facebook Just Released New “White-Hat Settings” features to assist bug Hunters to analyze traffic in their mobile application – Techrealworld

Facebook has added a fresh “Whitehat Settings” function that makes it easy for bug hunters to pentest the safety of Android apps for Facebook, Messenger and Instagram. This function enables Facebook Certificate Pinning safety measure to be bypassed by safety scientists.

For those unaware, Certificate Pinning is intended to guarantee the safety of Facebook users ‘ information transmission by automatically dismissing website links that use false SSL credentials to prevent them from being victims of network-based assaults. Since nearly all Facebook-owned applications are using Certificate Pinning by default, testing server-side security vulnerabilities for Facebook-owned mobile apps has made it hard for Whitehat scientists.

Researchers can now readily bypass Certificate Pinning on Facebook-owned mobile apps such as Facebook’s primary app, its Messenger instant messaging client, and the Instagram app by introducing the latest option:

  • Disabling Facebook’s TLS 1.3 support
  • Enabling proxy for Platform API requests (applies to Facebook on Android only)
  • Using user-installed certificates for easier traffic interception

“Choose not to use TLS 1.3 to allow you to function with proxies like Burp or Charles that only support TLS 1.2 at the moment,” states Facebook. “These configurations are in two locations configured. The first is through the Web UI and the second is through the UI app. In other words, you must first enable them from your Facebook account through the Web to access these configurations from your mobile device, “notes Facebook.

The new function will allow Whitehat bug hunters to evaluate and report network traffic associated with Facebook, Messenger and Instagram apps when looking for vulnerabilities through the company’s bug bounty program.

If you want to use the “Whitehat Settings” function, you can do this by visiting the Settings Page on Facebook. Further information and video tutorials can also be found on this support page.

The social media giant also recommends Whitehat bug hunters to turn off the settings when not testing Facebook’s website to find security vulnerabilities.

Currently, the Whitehat Settings feature is supported only on Facebook’s Android apps, and not on iOS platform.


Please enter your comment!
Please enter your name here