
How I could have hacked any Facebook account - phwd
http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html
======
cphoover
Frankly I think the amount being award by these companies is minuscule when
you compare it to the amount of damage this information could have caused
Facebook in the wrong hands.

~~~
dsacco
This has been discussed many, many times on HN before. This bug would not
cause Facebook much damage; in fact, Facebook and Google tend to overpay
rewards for bugs for the purposes of goodwill and recruiting.

Let's examine the facts:

1\. A Facebook vulnerability is dangerous to Facebook. A WordPress
vulnerability is dangerous to a quarter of the internet. Facebook is not a
high value target, relatively speaking.

2\. A Facebook vulnerability will be patched once it is widely used.
Facebook's security team is one of the strongest and most sophisticated of any
company, and their processes would quickly catch this once it was used. The
total impact of the bug would be negligible. You'd lose the ability to
compromise accounts as soon as you tried to do it in any meaningful or
lucrative way.

3\. A vulnerability in Facebook might last a week before being patched, but a
vulnerability in PHP will persist on the internet for years. No matter how
many individual sites patch their servers, you'll still be able to pop a
lonely server with social security numbers chugging along in a closet
somewhere.

There really isn't much more to say about this. People claim bounties awarded
by Facebook/Google/et al are undervalued every single time a bug bounty hits
the front page of HN. Every single time, someone who is in the security
industry patiently explains why it's not that valuable.

If someone tried to go to a blackhat group or go to the "black-market" (a
shadowy, lucrative place that never seems to be very well-defined in these
conversations), he would not even be able to find a seller, let alone one who
would pay a lot.

What do you imagine someone would pay for this on the black-market? They'd
need to profit from it. How much profit is worth their time?

Say they buy it for $20,000. Do you really think someone will derive $20,000
of profit from this before it's caught and patched by Facebook?

The only vulnerability worth $15,000 or more is one directly impacting a
language, a widely used development library/framework or a widely used piece
of software.

For further reading on bug bounty valuation:

[https://news.ycombinator.com/item?id=7106953](https://news.ycombinator.com/item?id=7106953)

[https://news.ycombinator.com/item?id=9302188](https://news.ycombinator.com/item?id=9302188)

[https://news.ycombinator.com/item?id=9040855](https://news.ycombinator.com/item?id=9040855)

[https://news.ycombinator.com/item?id=9041017](https://news.ycombinator.com/item?id=9041017)

[https://news.ycombinator.com/item?id=8563884](https://news.ycombinator.com/item?id=8563884)

~~~
arcticfox
What are you talking about? Facebook is not a "high value target" and "this
bug would not cause Facebook much damage"?

For example, if you wanted to monetize it, I have to imagine TMZ (or someone
even less scrupulous) would pay a lot of money for dumps of A-list celeb and
athlete Facebook accounts.

You don't think Facebook having "The Fappening Part 2" on their hands is worth
more than $15k to prevent? Or having every US Government FB account
simultaneously posting ISIS propaganda?

The PR for any number of scenarios like those would be an absolute nightmare
for Facebook.

~~~
dsacco
Your comment does not reflect how vulnerability sales work in the real world.

In the real world, vulnerabilities are sold to blackhat groups who want to
make a profit by attacking as many websites as possible. Generally, these
websites will have valuable credit card or other information that can be
stolen from a compromised server.

Compromised user accounts (not even the server! just users!) on a single
website do not constitute a valuable target.

The idea that TMZ would pay a significant amount of money for this is a
Hollywood plot, nothing more. Vulnerabilities are not valued highly just
because you can come up with a contrived scenario in which it would be
valuable to someone for some reason.

This is a market, and like any other market there are buyers and sellers who
dictate supply and demand.

~~~
bcook
>Compromised user accounts (not even the server! just users!) on a single
website do not constitute a valuable target.

That statement is just plain wrong. With over a billion Facebook users, surely
_some_ of them are high-value targets.

~~~
JetSpiegel
But what can you really do with the Facebook login of, say Obama? Not
provoking WW3, that's for sure. The only thing you can realistically create is
a PR kerfuffle for Facebook, but considering the way to spread it would be
(wait for it) on Facebook itself, there's not much money is this.

~~~
georgeglue1
You simply log into the Bloomberg/AP/NYTimes account, post some fake economic
or political news, and then call in some options you purchased the week
before.

If done intelligently, this is incredibly difficult to trace. There is risk
(rather than a straight-up sale), but the expected returns are probably an
order of magnitude higher.

~~~
argonaut
Given that the risk is you go to jail, I'm not so sure.

~~~
bcook
I thought most blackhat activities already implied the threat of jail-time...

------
sandGorgon
BTW - Anand is a security engineer working for Flipkart and is one if India's
smartest security experts. This is not the first time he has found bugs.

[http://yourstory.com/2015/10/techie-tuesdays-anand-
prakash/](http://yourstory.com/2015/10/techie-tuesdays-anand-prakash/)

------
jdcarter
Good reminder here that _all_ publicly-visible services are part of your
overall attack surface, including beta sites and other things you never expect
people to look at. The DROWN vulnerability from last week was similar: people
disabled SSLv2 on their web servers, but not their mail servers.

Very nice find: super simple but super effective. I'm glad Facebook paid up
promptly.

------
dsmithatx
This has me thinking about another possible attack. Say I don't want to hack
all of Facebook or a specific account. What if I used a botnet to reset
passwords and then use the six attempts randomly on each account I reset. Sure
I'd only get a small percentage but, I would easily start hacking FB accounts.
It's things like this that make me use 2FA as much as possible on personal
data.

~~~
orionblastar
2FA is nice unless you lose your cell phone or it gets stolen. If you ever
lose your job or go homeless and can't afford a cell phone then you are locked
out of your accounts.

I am disabled and struggling if I miss payments I go homeless or can't pay my
bills and things get shut off. For me 2FA might not work if I am down on my
luck.

~~~
ladzoppelin
Authy is really good. [https://www.authy.com/](https://www.authy.com/)

They need a Firefox extension but its allowed me to do 2FA on my personal and
work accounts without fear of being totally locked out if I loose my phone.

~~~
voltagex_
Don't Authy store some of your secrets server-side?

~~~
rtpg
You can choose to store some, yes, but it's encrypted by your backup password.
At least that's my understanding of it.

------
haser_au
A great example of responsible disclosure, and the company acknowledging,
fixing and rewarding the bug and finder. Great job to both Facebook and Anand.

------
mcone
How do companies evaluate the severity and impact of the vulnerability? I
don't work in security, but it seems like this is worth more than $15,000.

~~~
dsacco
Companies evaluate severity based on impact. There are different tiers of
vulnerability.

A vulnerability that affects a particular website is significantly less
valuable than one that affects many websites.

Companies like Google and Facebook actually overpay for vulnerabilities
because 1) they're flush with cash and can, 2) it's excellent for goodwill in
the industry, 3) it's an excellent recruiting tool and 4) it augments an
already strong internal security program.

If you hypothetically tried to go to the black market with this vulnerability
you wouldn't even find a buyer. When Facebook patches this, it's useless, and
you'd have to derive more than whatever you paid for. At this point it's a
betting game - do you think you can earn back $100,000 using this exploit
before Facebook catches wind of it?

Conversely, vulnerabilities that are very highly valued tend to affect large
numbers of websites in a format that is not easily patched. For example, many
websites don't update WordPress often, which means that a vulnerability in
WordPress is going to instantly get a CVE and a widespread push for awareness.
Even so, it will be actionable for years.

------
s3arch
For these individual hardworking security analysts, Facebook awarding cash
prices of "any real value" is much worth than some news article reporting it
as "...simple security flaw...".

[http://www.zdnet.com/article/facebook-fixes-simple-
security-...](http://www.zdnet.com/article/facebook-fixes-simple-security-
flaw-which-let-you-take-over-any-account/)

------
moonshinefe
A whole $15k? This could have cost them hundreds of thousands if not millions
in lawsuits. That's a pretty crappy incentive, I'd imagine a lot less moral
security researchers getting exponentially more money out of something like
this by just selling the 0day.

I wonder why the reward is so low. This is literally the amount a code monkey
gets paid after 3-5 months of work with minimal skills.

------
thrownn
On the subject of rate limiting, what is the best way to apply it across all
endpoints, APIs and resources, external and internal, with minimal effort?

Usually, I see this implemented only as an afterthought, and only on endpoints
deemed 'dangerous', waiting for a disaster like this to happen...

~~~
noir_lord
It's a defense in depth scenario but most webservers have modules for it,
Apache certainly does as I've used it not sure about nginx still not used that
in production.

------
technion

        beta.facebook.com and mbasic.beta.facebook.com 
    

Certificate Transparency has an interesting impact on some of the less-public
servers.

[https://crt.sh/?q=%25.facebook.com](https://crt.sh/?q=%25.facebook.com)

A host of servers turn up in that list, which may similarly be less security
tested than the main facebook.com site.

~~~
nly
I'm surprised an organisation as large as Facebook don't have their own CA,
and just don't issue the semi-secret stuff off the record.

~~~
evgen
Running a CA is a major pain, adds auditing and other requirements that are
ongoing pain, and prior to the past year or so Facebook did not issue enough
certificates to make the cost worthwhile. Doing this right means adding a lot
of logging and access control around a few parts of the infra stack that would
manage this, so why not pay someone else to deal with the paperwork and
bother? All FB certs are on the CT logs as a matter of policy, so that there
are no loopholes in our current statement that if a Facebook cert is not on
the CT logs you should not consider it valid; we will accept the loss of
secrecy (and people launching new stuff hate it but have learned to adjust) if
the end result is making it harder for someone to slide a dodgy cert into the
chain.

------
unknownzero
Anyone know what tool he was using in the YouTube video? This stuff is super
interesting.

~~~
fatlasp
Looks like Burp Suite. Sweet web proxy tool --
[https://portswigger.net/burp/](https://portswigger.net/burp/) Free for 14
days I think.

~~~
unknownzero
Awesome! Thanks for the link. It looks like they have a limited free forever
version as well, gonna have to play with this.

~~~
fatlasp
hmm yea my memory might have adjusted it to a trial period -- looks like many
of the most useful features are crippled in the free version.

------
beshrkayali
Regardless of this being Facebook or not, but forget to throttle your API and
this is what you get, some dude toying around with a tool just to poke holes
in your thing, but I digress.

If in any twisted, unrealistic, straight out of Homeland scenario where anyone
high profile enough would make use of this "vulnerability" and successfully
create a media "splash", and assuming Facebook security team is on top of
their game, this would get patched in a week tops. Keeping an eye on average
number of requests coming to their API end points, especially sensitive ones,
is part of their job, not a nice-to-have. I'd even think this would actually
get patched within 24 hours (since the fix isn't really that difficult). I
have absolutely no care or sympathy for Facebook but yeah, 15K is a lot for
something like this. It's a nice catch, that's all.

------
debacle
Good on Facebook for being so quick to reward Anand and fix the issue.

------
annnnd
I would love to know if someone has exploited this bug - should be fairly easy
to learn that from logs (this attack is far from stealthy). I guess FB will
never tell. :)

------
adam12
Anyone else have trouble with that webpage? It froze my browser (Chrome).

------
010a
Hacker News: Where comments can be six paragraphs long and say absolutely
nothing.

~~~
dang
We detached this subthread from
[https://news.ycombinator.com/item?id=11249116](https://news.ycombinator.com/item?id=11249116)
and marked it off-topic.

------
msie
Surprised that the well-paid developers at Facebook missed this vulnerability.
Should inspire confidence on anyone who didn't get a job there. :-)

