
Hacking Facebook’s Legacy API, Part 1: Making Calls on Behalf of Any User - ssclafani
http://stephensclafani.com/2014/07/08/hacking-facebooks-legacy-api-part-1-making-calls-on-behalf-of-any-user
======
neilwillgettoit
As a security researcher, the most impressive part of this is the response
timeline from Facebook's security team. 3~ hours from first report to
temporary patch! That's insane.

~~~
eugenez
We also have a system for patching vulnerabilities which does not require a
full code push. It has been useful on a number of occasions. (source: I
patched this one)

~~~
stevenh
Does Facebook usually respond to exploit reports so quickly, or does the fact
that the discoverer (Stephen Sclafani) helped Facebook find bugs in previous
years mean that his emails were automatically flagged as high-priority?

~~~
eugenez
We try to respond to any exploit of this severity immediately, and will often
disable a feature temporarily while working on a fix rather than letting the
exploit remain open. It helps a lot when the repro steps are as clear as they
were in this one.

------
_nullandnull_
I'm not a huge fan of Facebook but that is one impressive bug bounty and turn
around time. Nice job to both parties.

~~~
beartime
whats wrong with fb?

~~~
nitrogen
In the spirit of [https://xkcd.com/1053/](https://xkcd.com/1053/), I'll assume
you haven't heard about the privacy violations, misleading or hard to find
control panels, and constant changes to visibility settings leading uninformed
users to unwittingly post sensitive information with public visibility.

Facebook (the web app) has its uses and reasons to like it, but there are also
lots of reasons not to like it.

------
brotoss
Pretty slick way to earn 20 grand...nice work

~~~
stevenh
Taking the following into consideration:

\- The severity of the exploit, which may be nearly the maximum theoretical
possibility on a site like Facebook, aside from SQL injection or remote code
execution

\- The multiple months worth of unpaid sleepless nights Stephen Sclafani
likely spent exploring countless dead-ends before finding this

\- The fact that he beat black hats to the punch by discovering it first and
thus saved Facebook and its users from millions, perhaps billions, of dollars
worth of damages stemming from vague and mysterious causes over an indefinite
period of time

\- The billions of dollars Facebook regularly uninhibitedly spends to acquire
a given startup

I feel that $20,000 is a bit low.

~~~
lstyls
"Insultingly low."

Really? 20K is about two months of salary for a Facebook engineer. So even if
he _did_ spend months on this like you speculate (he didn't) it's still an
industry-leading salary.

~~~
voltagex_
Holy crap, I'm working for the wrong company.

------
lnanek2
Reminds me of the whole SnapChat thing. People just aren't securing the
internal APIs their mobile apps use.

