

I found an XSS on facebook.com and am able to steal httpOnly cookies, now what? - facebookxss

Back in July, I searched for and discovered a cross-site scripting vulnerability on facebook.com, as well as what I would describe as infrastructure flaws that give me the ability to steal httpOnly authentication cookies used by Facebook. So far I have kept all the details to myself.<p>What should I do now?<p>Should I give away 4 days of hard work and disclose the vulnerabilities privately to Facebook?<p>Should I adopt full-disclosure and release the details concurrently to Facebook and everyone else?<p>Should I sell my findings to the black market? What is the harm really, beside some more Facebook spam until the flaws are fixed? You can reply to my post using this PGP key: http://article.gmane.org/gmane.test/5884<p>Should I sell them to legitimate buyers, penetration testers, private investigators, ...? Where are the TippingPoint ZDI or iDefense VCP of web site vulnerabilities?
======
pierrefar
I would email Facebook and tell them you have this info and you would like to
work with them and would like to be credited when they announce the fix. Most
companies will give you credit, where it's due. Also, companies of their size
ought to have a dedicated security email address.

Not sure what the legal status of selling this info is, without going into the
morality of do that.

------
mike-cardwell
However you release the information, you should really give them advanced
warning before you do so, and time to fix them. Maybe a month or a couple of
weeks.

------
madhouse
I'm a big fan of full disclosure - I'd do that. I would advise against selling
your findings, in the long run, that would only make facebook worse than it
already is.

So, either full disclosure, or tell facebook and give them a few days, I'd
say.

