In Silicon Valley, rewarding people for exposing security flaws is the norm. At Facebook, however, the social media firm is not happy when someone showcases weaknesses in its own products, despite having a bug bounty program that claims to reward those who do so.
Instead of rewarding Harvard University student Aran Khanna, who was set to begin his internship at Facebook in May, Facebook has decided to revoke its offer of a summer internship for Khanna.
The bone of contention between the company and its ex-future intern was an app called Marauders Map, named after a magical tracking map in the Harry Potter universe that helps the user find the exact location of anyone they want.
In a blog post written for Medium, Khanna describes the app as a Chrome extension that can be used to track the location of anyone they are chatting with, down to the last three meters of where they are, using the default settings on Facebook Messenger, a feature that Facebook has been aware of for three years but apparently made no action to correct until after Khanna made it public.
Using data that is already available to the public, Khanna was able to map the locations of people he chatted with, even those that were not his Facebook friends. Digging deeper into the extension's functionality, Khanna was able to decipher any person's locations at any point in time and infer that person's entire daily schedule. This means, anyone who had access to Marauders Map could predict any person's location at a certain time using private information that Facebook is making publicly available.
Khanna iterates that he had no malicious intention in developing and publishing the app. He says Marauders Map was created to show people the visible consequences of unchecked location sharing because, although most people are told of the negative implications of weak security, they never or rarely get a real-world peek at how it could be damaging to them.
"I decided to write this extension because we are constantly being told how we are losing privacy with the increasing digitization of our lives, however the consequences never seem tangible," Khanna says.
But Facebook claims Khanna's version of the story is "revisionist history," saying that its engineers have already been working on a fix in the last few months. Upon the request of Facebook, Khanna deactivated Marauders Map, but he still made the code available for scrutiny on GitHub, which apparently did not sit well with Facebook.
"Despite being asked repeatedly to remove the code, the creator of the tool left it up," a Facebook spokesperson Matt Steinfeld tells Boston.com. "This is wrong and it's inconsistent with how we think about serving our community."
Steinfeld also says Khanna violated Facebook's terms by scraping Facebook data, which endangered users' privacy and safety, but Khanna maintains that the data he used to create the app was available to the public.
A week after Khanna was revoked of his internship, Facebook released a new update to Messenger that gives users "full control over when and how you share your location information." As for Khanna, he takes the entire brouhaha with Facebook as an "internship experience" in itself, while having had a full summer as an intern at a Silicon Valley startup.
Photo: Kārlis Dambrāns | Flickr