
Stealing Facebook access_tokens using CSRF in device login flow - franjkovic
https://www.josipfranjkovic.com/blog/hacking-facebook-csrf-device-login-flow
======
dopamean
The circle jerk discussion about the rewards paid out by bug bounties on this
site is getting ridiculous. It has been talked about ad nauseum and it seems
that most people crying that the reward isn't high enough because "you could
make so much more on the black market" don't actually know anything about how
vulnerabilities are monetized on the black market.

~~~
jrandm
I'd be curious to know what those same folks think regular security staff
should be paid.

From another thread here, the author talking about the time involved:

>Two to three hours discovering and writing the initial report, couple more
hours (unsuccessfully) trying to escalate it using pre-approved apps.

I'll round his estimate up to 6-8 hours, or basically a normal work day:

$5000 / 8 = $625 an hour

$625 * 40(hour work-week) * 50(weeks) = $1,250,000 annually

Let's say it took an entire week's worth of time (comes out at $125/hour):

$5000 * 50 = $250,000

Is that range wildly out of line for what Facebook would potentially be paying
for a full-time employee? The actual salary number would probably be lower,
this would be including the cost taxes/insurance/perks/etc.

Even as a contractor, where the "expect to bill ~1000 hours a year" rule of
thumb is/was common, puts the range at $125,000-$625,000.

Seems as though if you can reliably find organizations willing to pay these
amounts and have the skill/luck/grit to grind out vulnerabilities at those
companies you'll make a decent living. Or, put another way, these company's
are paying bounties comparable to what the same research would have cost
coming from a staff member.

~~~
daraosn
Why would you calculate hourly rate? I'd rather try to calculate the economic
impact that this could have for the company, especially marketing costs to
repair bad PR if something like private messages, pictures, info, etc. get
breached. Do you think Facebook would spend $5,000 for that? Hell no,
marketing budgets are in the magnitude of millions of dollars... I'm in no way
supporting to exploit these vulnerabilities, and kudos to the OP (and many
others) for finding these bugs and reporting to their companies instead of
exploiting. I just think that big tech companies should pay bigger bounties.

~~~
jrandm
The hourly rate is to make an apples-to-apples comparison to someone whose
full-time job is to do that kind of security work, either salaried or
contracted.

Would it make sense to award bonuses to every in-house security researcher
based on an estimated, hypothetical worst-case cost? It doesn't take much
imagination to see how that reasoning applies to other positions. Do
accountants get big bonuses for avoiding multi-million-dollar errors? Lawyers
for avoiding costly lawsuits? Operations (IT and otherwise) for keeping
infrastructure running? Customer service for assuaging disastrous public
interactions? Stretched to absurdity, would you pay for a taxi based on how
badly you need to get to point B?

I believe saying "preventing these kinds of problems (doing this work) is what
we pay you for" is a reasonable conclusion and paying a market rate for that
general value makes more sense versus calculating a kind of commission per
individual contribution. That does have a certain appeal (and I wouldn't mind
seeing a discussion about it) but I haven't gotten the impression that's the
perspective of those who think all* bug bounties should be higher.

*: Added caveat as I'd bet every researcher can name companies that pay poorly

------
daraosn
I think $5,000 is a joke, this is a serious vulnerability... Despite this,
congratulations for finding it and reporting directly to them, the right way.
If it's possible to know, how many hours did you spend researching this?

~~~
shepardrtc
I think $5,000 is a lot of money. I'd be pretty happy if they sent that to me.
In years past, companies would just give you a nice pat on the back.

~~~
stephengillie
What if someone else was offering $10,000 for Facebook bugs, so they could
exploit them? This bug could probably result in more than $5,000 in damages to
the Facebook brand.

~~~
argonaut
_But someone isn 't._ That's the point. These bugs don't go for $10k on the
black market.

~~~
rl3
That's odd considering the potential monetary damage of such bugs can far
exceed $10k.

~~~
XMPPwocky
One can smash a car up with a sledgehammer. Is the value of a sledgehammer
equal to the value of a car?

~~~
rl3
> _Is the value of a sledgehammer equal to the value of a car?_

My previous post was poorly worded; I didn't mean to imply equality.

To use your analogy, valuing a serious vulnerability on a platform that has
1.65B users in the $5-10k range is tantamount to selling a 30lb sledge hammer
for a dollar.

~~~
ponyfleisch
But what if producing a sledgehammer only cost 50 cents? Then people would
sell sledgehammers for a dollar or less.

~~~
rl3
Rather than torture this analogy further:

Obviously exploit pricing is generally efficient and adheres to free market
principles. That said, it's hypothetically possible that an exploit against a
large tech company could sell for far more if the circumstances are right,
considering the price to damage ratio is so skewed in addition to the unique
nature of each exploit.

Therefore, large tech companies don't really have much to lose by paying far
more than they currently do on bounties.

Granted, eliminating what's largely a hypothetical edge case is not the
primary benefit to paying higher; incentivizing far more white hat researchers
is.

------
a_imho
The black market is a false dichotomy. Either you need the money for your
work, then negotiate a reasonable price, or you don't, then disclosing it for
free might actually helps someone not to be lowballed by BigCo the next time.

There really should be a bug marketplace, instead of one side having all the
power and paying pennies.

~~~
tptacek
Markets aren't magical. They route resources, they don't create them from thin
air. If Facebook is ultimately the only organization that realizes $5000+ in
value from a vulnerability, then no matter how you structure the marketplace,
it isn't going discover a higher price for that flaw.

If you believe otherwise, you're missing a business opportunity. Go create a
"bug market" for Facebook and Google serversides. It's not illegal to buy
vulnerabilities, or to sell them (so long as you're reasonably sure they're
not going to be used as part of a specific criminal enterprise --- but don't
worry, if you stick a $5000 price tag on a serverside bug, or even a $500
price tag, you can be pretty sure it won't be used by criminals).

~~~
a_imho
By submitting a bug through a bug bounty system you place the reward into
Facebook's hands. Following the same argument you can say they can offer $1,
because they are the only organization interested in the bug. After all
exploiting a vulnerability puts you on the wrong side of the law.

However I do believe saying you discovered a pretty serious bug by putting it
on a market sends a strong message. Your system is vulnerable and you are too
cheap to pay up.

------
evoltix
Out of curiosity, was there any particular reason why you decided to write a
blog post about this vulnerability 5 months after the bug was fixed?

~~~
franjkovic
I wanted to move from Blogspot to a personal domain, but kept delaying it for
a long time.

------
cloudjacker
so you got paid $5,000 ? How long since the first report did it take for that
to reach your bank account?

~~~
franjkovic
The bug was reported on December 8th, 2015 and fixed on February 18th, 2016
which is an unusually long time for Facebook. The bounty reached my account
during the middle of March, but Facebook has recently changed their bounty
payment processor to Bugcrowd, and now they have weekly payments.

~~~
artursapek
Weekly payments as opposed to a lump sum? Why? I can't imagine cashflow is an
issue for them.

~~~
kornish
I suspect franjkovic means that there's a queue of lump sums to get deposited
to their respective owners, and payments in that queue get processed once per
week.

------
spoown
Well done, i hope you made some €€€ on it...

