Hacker News new | comments | show | ask | jobs | submit login
How I could have hacked any Facebook account (anandpraka.sh)
443 points by phwd on Mar 8, 2016 | hide | past | web | favorite | 159 comments

Frankly I think the amount being award by these companies is minuscule when you compare it to the amount of damage this information could have caused Facebook in the wrong hands.

During the fiasco that was the last white-hat hacker to report he'd hacked Facebook, I posted this:

> Bug bounties are supposed to represent a high probability payoff of a lesser amount of money for finding a bug. This is in comparison to going the black hat sales root, where probability of sale might be lower, but the payoff might be higher. I can imagine one or two state actors who might pay top dollar to have keys to the kingdom to a major social network. (https://news.ycombinator.com/item?id=10756159)

Expected payout = (Probability of reward * size of reward) +/- any additional value I put into who I'm selling it to.

If I have an exploit that gives me a lot of access to Facebook (or any other large company) I have to run that formula for each entity that might pay me for it- Facebook, the NSA, the Chinese Military, and so on down the list. Facebook is offering high probability for a lower payout. The NSA might step up their game and start offering ten times as much, or make it more clear that they will indeed pay you for it (not that I have any proof they'd do such a thing).

Make no mistake, Facebook has probably done this math very carefully when choosing a bounty.

> Make no mistake, Facebook has probably done this math very carefully when choosing a bounty.

Having worked at several similar companies, I'm guessing it went like this:

"How much should bounty be? Is $5K good?"

"Wow, that's nothing. At least make it something meaningful like 25 grand."

"Yeah....that's gonna be tough. How about split the difference? $15K"


In other words, if you wanted to game the odds, you'd start by offering it on the black market, then if there were no takers after X number of days, offer it to Facebook?

It is unlikely that there is any black market for this bug, or for the RCE that compromised Facebook's crypto secrets.


Yeap, you're right. These guys at least aren't paying a bounty for Facebook/Google bugs: https://www.zerodium.com/program.html

Like Dylan says, people will pay for web server software bugs, if the software is widely installed, because you can make money by building and grooming a fleet of compromised servers. There is a way to do it, and that way works.

There is not a good, reliable way to make money from Facebook account takeover. You can conceive of them speculatively, but that is not the same thing as knowing you can execute, or, better, already having a business process in place that is already executing, just waiting for a new bug.

Your comments make sense in the real world, where the big threat is "criminal enterprise looking to make an illicit buck".

I worry that people are too obsessed about the hypothetical specter of tremendously skilled and bored black-hats who will ruin lives for fun, rather than for a pay-off, e.g. ZF0.

>* hypothetical specter of tremendously skilled and bored black-hats who will ruin lives for fun*

I'd assume having $15k to spend is a lot more fun than any enjoyment one could have by hacking someone's facebook account.

You'd have to have a real vendetta against someone to value ruining their life at $15k.

> You'd have to have a real vendetta against someone to value ruining their life at $15k.

15k is actually cheap when compared with the costs of a private eye, a biker gang or a contract killer.

For a political hit, $15k might be a very reasonable valuation.

> You'd have to have a real vendetta against someone to value ruining their life at $15k.

You're thinking about it wrong. There is no opportunity cost in their worldview, just lulz to be had at the expense of people they deem worthy of ruination.

(I never said the people that live in the intersection of trolls and blackhats are great at financial or career planning, after all.)

Footnote on the graphic: *All payout amounts are chosen at the discretion of ZERODIUM and are subject to change or cancellation without notice.

Translation: "Show us what you got and then we'll screw you over."

Sounds like you're less likely to get screwed by an escrow service found on TOR.

Or simply publishing it first and leveraging to opportunity for contract work. I'd really hope you're able to get a commitment from ZERODIUM before giving them the details.

This comment states:

> Facebook's security team is one of the strongest and most sophisticated of any company

If that is true, how come they didn't catch this relatively obvious glitch discussed here.

No team can catch all the bugs.

As for 'obvious', hindsight, yada yada.

You forget to normalise by the uncertainty of payment in the blackhat case and the probability of repercussions.

Not to mention the possibility of selling the same thing to multiple black hat buyers.

From this article I get the impression that the bounty wasn't even known before hand. It doesn't seem like a very careful consideration from Facebook, and I would expect it to be "too low" if they're choosing the amount after someone has already disclosed the bug.

Another factor is that when you are buying on black market, you can't be sure whether you are buying real exploit or fake one. Exploit owner probably will request (irreversible) bitcoin payment, will communicate via anonymous channels and is unlikely to give out details about that exploit until he's got his money. So both sides have difficulty trusting each other. Probably solution is some trusted 3-rd party, but is there one in black market? It's hard to imagine, actually.

Even if you aren't able to receive some sort of sample proof of work (which is probably not the case with this exploit), you can still mitigate the risk by ensuring the seller has high status in the marketplace and/or is willing to use escrow (or preferably multi-sig) to ensure funds are only released upon receipt.

You totally can demonstrate it in this case, but I see how you are correct in most other cases.

" Do you have a facebook account? Name a friend, and I'll prove it to you "

Not really - a Facebook attack can be proven without revealing the details. eg. The buyer could ask "give me a list of the friends of <non-public account>" or "make a fake posting with <this content> authored by <this user>".

Problem with that us the buyer could be FB Sec. Now they have a targeted account to watch and find the vuln. themselves. Better option is to find a random famous person and do the sane thing.

3-way signed keys with 2 min necessary for accessing the BTC wallet. If memory is not playing tricks on me, you can do that with BTC. You can make a client-> seller transaction if everything is normal, else the third party can arbiter the transaction.

where do people even go to start to sell an exploit? how does that kind of stuff work?

I assume you're wondering about the black market? Traditionally, Russian and Eastern European carder forums. In the golden age of Western Union and Moneygram... More recently, dark web markets over TOR with multi-sig cryptocurrency escrow.

for exploits that don't target a single deployed instance there is a 'grey/white' market. off the top of my head: ZDI (more defence oriented. i think they distribute just signatures for intrusion detection), Zerodium (more offence oriented), Exodus Intel EIP (not really sure.. they distribute a feed)

same place as silk road.

Not sure if this is a good idea. Probably lots of undercover three-letter government agents lurking there.

Why is that a bad idea? If you sell to one of them, you will most certainly get paid in full and on time.

Or were you thinking that they would try to bust you for illegal hacking instead?

I suspect most whitehat researchers would be happier to report this vulnerability and make a nice legal reward, then delve into a black hat market for selling a vulnerability. Seems pretty win-win in this case.

Unless your name is Kevin Mitnick. Then you set up a business and play middlemen in selling them to anybody who wants to pony up for it.

"When we have a client that wants a zero-day vulnerability for whatever reason, we don’t ask, and in fact they wouldn’t tell us,” Mitnick tells WIRED in an interview. “Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.”


How is this legal?

Because he's selling to governments, who operate under the "it's not illegal when we do it" principle.

What if it's the Chinese government that's buying, would it suddenly turn illegal?

Why wouldn't it be? Someone looks at a program that they bought and paid for, and sees that it has a mistake. They didn't write the software or put the mistake there. How can it be a crime for them to become aware of behavior in someone else's program?

Attacking others who use the software is an entirely different story of course.

By reporting the problem to the owner you should assume that it might get fixed before you'll manage to sell it to other interested parties.

I do security audits and agree completely. My biggest issue is that the researcher is working for free. If nothing is found you just burnt a few weeks, if something is found the payout is usually only a couple grand.

If people enjoy doing it, or it makes sense in their currency or situation, awesome. The payouts don't get me excited though.

That's the market though. People who think it's too cheap don't play the game, people who think it's good money do.

In my country, getting paid 15k dollars would mean more than a years worth of sallary of a big infosec company. So it makes complete sense to go in for bug bounties, even if it's "low" payout, or if you spend a lot of time to get one.

Like you said, that's our market, but when working on a global scale, you have to consider pretty much everyone.

This has been discussed many, many times on HN before. This bug would not cause Facebook much damage; in fact, Facebook and Google tend to overpay rewards for bugs for the purposes of goodwill and recruiting.

Let's examine the facts:

1. A Facebook vulnerability is dangerous to Facebook. A WordPress vulnerability is dangerous to a quarter of the internet. Facebook is not a high value target, relatively speaking.

2. A Facebook vulnerability will be patched once it is widely used. Facebook's security team is one of the strongest and most sophisticated of any company, and their processes would quickly catch this once it was used. The total impact of the bug would be negligible. You'd lose the ability to compromise accounts as soon as you tried to do it in any meaningful or lucrative way.

3. A vulnerability in Facebook might last a week before being patched, but a vulnerability in PHP will persist on the internet for years. No matter how many individual sites patch their servers, you'll still be able to pop a lonely server with social security numbers chugging along in a closet somewhere.

There really isn't much more to say about this. People claim bounties awarded by Facebook/Google/et al are undervalued every single time a bug bounty hits the front page of HN. Every single time, someone who is in the security industry patiently explains why it's not that valuable.

If someone tried to go to a blackhat group or go to the "black-market" (a shadowy, lucrative place that never seems to be very well-defined in these conversations), he would not even be able to find a seller, let alone one who would pay a lot.

What do you imagine someone would pay for this on the black-market? They'd need to profit from it. How much profit is worth their time?

Say they buy it for $20,000. Do you really think someone will derive $20,000 of profit from this before it's caught and patched by Facebook?

The only vulnerability worth $15,000 or more is one directly impacting a language, a widely used development library/framework or a widely used piece of software.

For further reading on bug bounty valuation:






What are you talking about? Facebook is not a "high value target" and "this bug would not cause Facebook much damage"?

For example, if you wanted to monetize it, I have to imagine TMZ (or someone even less scrupulous) would pay a lot of money for dumps of A-list celeb and athlete Facebook accounts.

You don't think Facebook having "The Fappening Part 2" on their hands is worth more than $15k to prevent? Or having every US Government FB account simultaneously posting ISIS propaganda?

The PR for any number of scenarios like those would be an absolute nightmare for Facebook.

He's right, and you are indeed recapitulating a discussion that has happened a zillion times on HN before. At some point (maybe I haven't read far enough down on the thread), The Grugq will chime in and confirm it, just in case you were doubting it. This isn't specific to Facebook; it's a common misapprehension of how bugs are valued for all SaaS companies.

People don't pay top dollar for speculative bugs. I'm sure there's some horrible market somewhere for stolen celebrity photos, but it generates a pittance compared to the people who harvest and exploit popped desktop computers.

It's not enough to imagine some way you could profit from the bug, for the same reason that you can't make 100 million dollars simply by coming up with the idea for an interesting startup. A viable exploit is just one part of the technical and business work that goes into profiting from a vulnerability. All the work, together, has to add up to less than the value of the exploit.

Moreover: pretty much nobody is planning out elaborate criminal enterprises based on Facebook bugs, because every one of those bugs takes a different form, has a different likelihood of discovery, and has a different payoff.

The bizarre part here is that Facebook is competing against a market that the security researcher is not allowed to participate in by law.

Facebook sets the price, not the market. That's why the speculative value of a bug should be relevant, not the practical value. If this guy were allowed to openly market his bug to all parties, it would be guaranteed to be worth much more than $15k.

The price to Facebook is totally arbitrary. They could pay this guy $10 and it would still be fair under your position, because it's better than the alternative of committing a felony by finding someone to outbid Facebook.

That's almost true. If Fb bid only $10, you could see bidding simply for the right to (a) announce the bug or (b) post a hash and lord it over Fb. There's a vanity value for some of these bugs that probably goes into the hundreds of dollars.

But the rest of your point? Yep. Sounds about right. Though I don't think it's quite fair to say that "Fb sets the price, not the market", since Fb is the market for these bugs.

You may choose (like you actually do) to make-believe whatever you wish about the exploits' worthlessness, but you may also assume that there already were a lot of black hats out there that provided "service" relying on the recently covered security weakness.

Also, about the "Facebook's security team is one of the strongest and most sophisticated of any company" mantra, even a mediocre strategist after knowing at least something about his opponents can improve his attack based on that knowledge. Assuming a modicum of surveillance on traffic dynamic from Facebook security team's part, this may translate into hiding the signature of a brute-force attack by spreading it into space (using a botnet) and time (spreading out a little each individual trial), or into a more elaborate method.

Don't move the goalposts. I'm not saying there aren't black hats that target Facebook. I'm saying none of them will pay $15000, or even $500, for this or any other Fb bug.

"Don't move the goalposts. I'm not saying there aren't black hats that target Facebook."

Actually, you didn't limited yourself to "black hats that target Facebook", you put "he's right" tag on a pretty broad range of remarks! One of them was about the Facebook's super team of security experts (which I answered to, so I'm not sure what goal post moving you've seen, BTW), and another remark was "he would not even be able to find a seller, let alone one who would pay a lot" which I'm not sure I understand from which angle are you looking at things by concluding that "he's right". Let me elaborate a little bit. That bug had enough potential to power an account hacking service derived cash flow for unspecified number of black hats, as the way anyone in possession of something valuable would first and foremost try to use and only secondly - to sell, you know? In such context his remark doesn't even come to make much sense, so I'm not sure how "he's right" in your view.

I've read again dsacco's post and I see another nonsensical remark: "The total impact of the bug would be negligible." How do you judge the impact of the said bug? Would say, disrupting somewhere the digital social connections between some political figures and their mass of followers so they'd loose contact for a while (exactly when it maters) count as "negligible"? Let's stop talking about pranks around TMZ, let's talk about the most lucrative possible cases here. And all this in itself becomes possible because Facebook is a high value target (another fact dismissed by dsacco, whom you consider to be "right").

Finally, about "none of them will pay $15000, or even $500, for this or any other Fb bug" - if right now, it would so happen for me to be willing to pay for a Facebook account hijacking method those $500 (which BTW is a tempting figure), what value would this conviction of yours still hold?

I would say you were paying $500 for a vanity bug, and not be especially surprised.

What 'dsacco is saying is essentially factual. The places that buy vulnerabilities don't buy Fb account takeover bugs.

You might find someone in --- another part of the world, let's say --- who would offer you a couple thousand for that bug. You should know, if you're ever in a position to make that deal, that the person who is buying it from you is willing to kill your whole family to make a point, because that is the reason they are buying the bug from you.

But you aren't going to find that person, any more than you're going to easily find someone to sell a portable antiaircraft missile to.

"I would say you were paying $500 for a vanity bug"

No, it would be just an (admittedly shady) business investment.

"What 'dsacco is saying is essentially factual. The places that buy vulnerabilities don't buy Fb account takeover bugs."

You either didn't read my post or you are deliberately ignoring it. dsacco was wrong on so many aspects and so were you when supported him, as for what you're doing now... I'm not sure what to make of it!

I'm sorry, but I don't see anything in this comment that is responsive to anything I've written or that introduces any new argument for me to respond to.

> I don't see anything in this comment [...] for me to respond to

Yet you did it anyway! :)

Actually, he did begin by responding something useful to what you've written.

Your comment does not reflect how vulnerability sales work in the real world.

In the real world, vulnerabilities are sold to blackhat groups who want to make a profit by attacking as many websites as possible. Generally, these websites will have valuable credit card or other information that can be stolen from a compromised server.

Compromised user accounts (not even the server! just users!) on a single website do not constitute a valuable target.

The idea that TMZ would pay a significant amount of money for this is a Hollywood plot, nothing more. Vulnerabilities are not valued highly just because you can come up with a contrived scenario in which it would be valuable to someone for some reason.

This is a market, and like any other market there are buyers and sellers who dictate supply and demand.

>Compromised user accounts (not even the server! just users!) on a single website do not constitute a valuable target.

That statement is just plain wrong. With over a billion Facebook users, surely some of them are high-value targets.

He's not wrong, you're just misunderstanding him. He's not saying there aren't "valuable" or "interesting" Facebook accounts. He's saying that there aren't enough Facebook accounts with immediate drop-in value to an existing and lucrative criminal enterprise to create a competitive market for Facebook bugs.

I would agree, being that I cannot immediately detail how these Facebook accounts might be useful, but any information is useful, especially credentials.

(Valuable != "immediate drop-in value")? So, he's saying the accounts aren't valuable, but they have value? The subtlety is lost on me...

Lots of things have utility but no liquidity.

The info is useful, but not sellable? The two seem deeply intertwined. If I can prove usefulness, I can sell it.

Actually, you say the info has "a use"... does that not directly imply worth?

The info might be useful to someone, but not to the people who are buying vulnerabilities on the black market.

Imagine going to a tech trade show and setting up a stand for your lumber business. What you're selling has value and is useful, just not to the people you're trying to sell it to.

Let's assume the position of a spammer or ~0-day blackhatter... access to the accounts of the most popular website in the world are not of interest? (You could post a URL and have millions of people click it because they trust the poster.)

That's an especially ironic argument to try to make on this particular site.

Is that a retort or simply an unrelated observation?

Edit: My intent was to understand your perspective (and argue...), but this comment goes over my head, and it seems as though it was a thinly veiled insult.

What I'm understanding here is, that while it might be profitable to someone to have an exploit on hand that they can use, the actual work that goes into turning a profit from the exploit may be me costly enough that its not worth pursuing.

Not sure if you read Cryptonomicon, but there's a part there where Randy Waterhouse finds a crap load of gold in the middle of a jungle and then rationalizes that there's no easy way to get it out of there, making it worthless at that moment. That gold has value, but no liquidity.

This is a forum focused on the startup community. The difference between the merely-useful and the truly-marketable has been discussed ad nauseum on these pages, as that difference makes and breaks many startups.

If you could have been more direct, I would have been more receptive to learning, rather than confusion and feeling excluded.

But what can you really do with the Facebook login of, say Obama? Not provoking WW3, that's for sure. The only thing you can realistically create is a PR kerfuffle for Facebook, but considering the way to spread it would be (wait for it) on Facebook itself, there's not much money is this.

You simply log into the Bloomberg/AP/NYTimes account, post some fake economic or political news, and then call in some options you purchased the week before.

If done intelligently, this is incredibly difficult to trace. There is risk (rather than a straight-up sale), but the expected returns are probably an order of magnitude higher.

>You simply log into the Bloomberg/AP/NYTimes account, post some fake economic or political news, and then call in some options you purchased the week before.

It would likely be far cheaper and easier to execute something like this via social engineering than using an actual exploit. I'm reminded of the time Twitter user @m had his handle stolen because Apple gave up some personal info.

Given that there are likely 100s if not 1000s of FB users who may have access to Bloomberg/AP/NYTimes official page, figuring out in an automated fashion of who can be easily socially engineered isn't likely worth 15k.

Given that the risk is you go to jail, I'm not so sure.

I thought most blackhat activities already implied the threat of jail-time...

I think you are vastly underestimating the power of social engineering.

> Hollywood plot, nothing more.

The first example that comes to mind, "an organised trade in confidential personal information"


Just because this isn't the typical mass vulnerability SQL injection or XSS attack on a major framework doesn't mean it's basically worthless ($15k or less).

The amount of damage that could be done to Facebook's reputation is enormous, not to mention the value of the information that could be stolen.

The black market does not put a high price on damaging Facebook's reputation.

You know what people put into Facebook chats?

Obligatory quote from Kanye's newest album 'The Life of Pablo':

" I had a cousin that stole my laptop that I was fuckin' bitches on

Paid that nigga 250 thousand just to get it from him "

You know what people put into Instant Bloomberg chats?

Go try to sell an IBB bug.

Step one: short a million on Apple shares

Step two: hack into Tim Cook's account (no idea if he uses FB)

Step three: publish rant about Apple rotten ideoligies/he quits

Step four: see APPL lose value for a day until this shit is sorted

Step five: profit

Or something like that

Step 6 - go to jail.

Step 7 - get out of jail and decide doing far less risky illegal stuff has a better expected payout.

Your claim was about the severity of the bug.

It all really depends on how fast FB can service the requests and how long it takes for them to notice and shut it down. Push your priority list off to a worldwide farm and watch the accounts pop out.

How long until FB would have it shut down and the affected accounts locked out?

The problem is that there's no half life. The bug dies instantaneously once discovered. It's not like 3/4 of the Internet runs "old Facebook" because they forgot to update it.

Sure, but in the time before the accounts are locked out all of their data may have been exfiltrated and mirrored around the world.

It won't matter if everyone can get the latest version of Facebook if no one is willing to use it anymore.

>Say they buy it for $20,000. Do you really think someone will derive $20,000 of profit from this before it's caught and patched by Facebook?

FB is publicly traded at very high volume. You can make very large bets on its movement without being noticed. A hack of 10 celebrity facebook pages could probably drop the stock 5% in one day. You'd probably be able to make at least 20 to 1 on your money using options. The right organization could clear millions.

If that were as straightforward as you claim, there would be a black market for all sorts of serverside vulnerabilities that might swing stock prices. But there isn't. One of two things is probably happening:

1. It is way less easy to predictably and profitably swing Facebook's stock than simply by hacking 10 celebrity pages.

2. For whatever reason, including the fact that crime rings premised on manipulating stocks have an annoying tendency to get caught, nobody is running this "hack Company X while sorting their stock" scam, and so even if it's possible to accomplish, the market doesn't value it.

You overestimate how much investors [and the public at large] care about this. Security issues with banks are regular occurrence - yet you don't see Chase's stock drop with every announcement of stolen CC numbers. To investors it's not worth considering unless it's catastrophic and ongoing.

This would be extremely lucrative for a media outlet. You would need way less than 5 exploited high-profile celebrity accounts to surpass the $15,000 that were awarded in profit.

The point is, it's possible that if he was a black hat, he could have gotten much more for it on the black market. Even if it could only be used once or a few times.

Bounties should not only be higher than what you can get on the black market. They should be high enough to make security experts spend their time trying to win them. Given probability of finding a bug with such impact, it is just not worth the time of any decent white hat (in terms of financial gain, sure it's nice to brag about it and that I believe is the biggest motivation).

Money wise, for Facebook, it makes zero difference if they pay him that much or 5 times more.

>> The point is, it's possible that if he was a black hat, he could have gotten much more for it on the black market. Even if it could only be used once or a few times.

This is precisely my point. No, he couldn't have. I outlined why in the comment you responded to.

>> Money wise, for Facebook, it makes zero difference if they pay him that much or 5 times more.

Leaving aside the fact that it obviously doesn't literally make "zero difference," should companies decide to pay more for things simply because they can afford to?

>Say they buy it for $20,000. Do you really think someone will derive $20,000 of profit from this before it's caught and patched by Facebook?

I can absolutely think of a situation that would make access to one person's facebook account worth way more than $20,000. Say, an unethical high-profile divorce lawyer fishing for information that would help during a multi-million dollar case. Or a political activist trying to dig up dirt on a candidate.

Or some advertising on several very popular accounts ...

If I had a site with a billion users and said site had a vulnerability with significant repercussions on my business, BreakingBits, a "software security firm", would advise me not to meaningfully encourage outsiders to find and squash those vulnerabilities?

Uh... is this the advice you give your customers?

Hack into zuckerberg's id, get his card info if it's stored, and for fun change the profile pic, send the news to top blogs before letting Facebook know. How much it would cost Facebook to do damage control?

> Facebook is not a high value target, relatively speaking.

I think you got this wrong, Facebook is not the target, their users are. Which reminded me of "If a service on the Internet is free, you are the product"

This quote is as lame as irrelevant it is.

yeah seriously, #2 is spot on. The moment you start brute forcing your way, network traffic gives you in and the security team will start blocking you. By the time they find out you may have found out 1,2,3.. few accounts.. This is no way worth lots of $$ in bounty, let alone the 100k job offer, that's a joke.

this doesn't make any sense, most vulnerability you find on products are "game over" vulnerabilities. It's common. If you would give a billion dollars to every such findings in an audit then you would be pretty quickly calling bankruptcy.

Also, I can personally live for a year on that kind of money. But that's another issue.

On the other hand, that is maybe what they would have payed for a real audit of a few days/weeks and it's not even sure the vulnerability would have been found (especially considering the size of Facebook). So yeah maybe they also deserve more.

I'm mixed.

David is right about this, too. A $50,000 pentest of any major web property is likely to find multiple sev:hi vulnerabilities. By the logic the grandparent comment uses, those audits should cost more like $1.5MM.

I think it's designed to be enough to convince would-be hackers to reveal the bug, but not enough to incentivise large amounts of people to sit around all day every day trying to break Facebook for bounties.

I assume it made its way into the wrong hands (not by the OP) and the amount of damage appears to be zero.

A bidding war between the bad and good guys would be interesting...

I agree. This was basically unrestricted access to any Facebook account. What a MASSIVE flaw.

And who knows if this was already exploited in the wild?

$15k is nothing at all compared to the scale of this issue...

It's not really unrestricted. Given that this is forcing the password reset, you can't silently do it, right? So anyone exploiting it knows there's a limited number of uses before people notice that their passwords are being reset by not them.

True, the restriction is that you only get a guarantee of getting in one time. I meant that there are no restrictions on what you can do once you're in. (E.g. a XSS chat hack or something like that would be restricted in that sense)

Doesn't Facebook alert the user if it detects suspicious account login activity from an unknown location or IP?

The SMS and the e-mail about the password change is already a big alert for the user.

$15k and a likely open FB job offer

> job offer

Really? For brute forcing an un-rate-limited endpoint? I doubt it.

I'm sure they might encourage him to interview, but he's not going to get a serious job offer just from this. There's essentially nothing technical or skillful going on here, other than the basic coding ability to do HTTP requests in a loop and the hunch to investigate if subdomains don't rate limit.

He was resourceful enough to find a security flaw of the highest severity in the only product of a $300 billion dollar company. A hole that was somehow missed by said company's own security auditors, who collectively are probably paid many millions of dollars per year entirely to look for such holes. So that's something.

But you're right, he might have just got lucky. The one fish in a school of 100,000 who finds the hole in the net probably isn't smarter than all the other fish. But that just strengthens the argument that companies should reward very generously for these exploits, because increasing the number of white-hats looking for them is a good way to ensure that they get found by one.

He's found quite a few different bugs:

https://hackerone.com/anand786 https://www.facebook.com/whitehat/thanks (listed 2015, 2014, 2013)

Over 20k in bounties in the last year listed, this 15k bounty, and multiple unlisted amounts from Yahoo. I don't think he cares about a job offer from FB too much.

Clearly this is the kind of role Facebook needs to fill ASAP.

Using a tool 'Burb' spendin time searching "what might be vulnerable" can be worth atmost 15 grands, not a $100.000+ job.

for a bruteforce ?

BTW - Anand is a security engineer working for Flipkart and is one if India's smartest security experts. This is not the first time he has found bugs.


Good reminder here that all publicly-visible services are part of your overall attack surface, including beta sites and other things you never expect people to look at. The DROWN vulnerability from last week was similar: people disabled SSLv2 on their web servers, but not their mail servers.

Very nice find: super simple but super effective. I'm glad Facebook paid up promptly.

This has me thinking about another possible attack. Say I don't want to hack all of Facebook or a specific account. What if I used a botnet to reset passwords and then use the six attempts randomly on each account I reset. Sure I'd only get a small percentage but, I would easily start hacking FB accounts. It's things like this that make me use 2FA as much as possible on personal data.

2FA is nice unless you lose your cell phone or it gets stolen. If you ever lose your job or go homeless and can't afford a cell phone then you are locked out of your accounts.

I am disabled and struggling if I miss payments I go homeless or can't pay my bills and things get shut off. For me 2FA might not work if I am down on my luck.

Authy is really good. https://www.authy.com/

They need a Firefox extension but its allowed me to do 2FA on my personal and work accounts without fear of being totally locked out if I loose my phone.

Don't Authy store some of your secrets server-side?

You can choose to store some, yes, but it's encrypted by your backup password. At least that's my understanding of it.

I recently bought the cheapest phone I could find for 2FA. 10$ phone and 20$ minutes. It equated for 400 texts with a time limit of 3 months. I didn't do too much research but there are probably some that don't expire. So, if you ever find yourself in a tough spot, 30$ can get you access. If you ever can't afford 30$, get in touch and I'll send you a phone.

There are ways around this for some things but, probably not with services like Facebook. For example with Amazon I use 2FA with a cellphone. As a backup I use a hardware token and an Admin account. If my cellphone gets stolen I pull the 2FA card out of my wallet.

Provided that nobody steals your wallet and you don't lose that card.

In that case you use the backup codes that you had printed and put in a safe a register a new 2FA token.

When setting up Google Authenticator for One Time Passcodes, you are also given a seed which can be used to resteup the app from another device.

Provided you don't lose that seed. If I end up homeless will lose all my stuff and limited to library access. You have to plan for the worst case scenarios with 2FA when things go bad.

Well at a certain point getting locked out stops being 2FA's fault and is simply due to the user's lack of responsibility.

Facebook likely makes the challenge harder if there is no history on the device you are trying to reset your password on.

A great example of responsible disclosure, and the company acknowledging, fixing and rewarding the bug and finder. Great job to both Facebook and Anand.

How do companies evaluate the severity and impact of the vulnerability? I don't work in security, but it seems like this is worth more than $15,000.

Companies evaluate severity based on impact. There are different tiers of vulnerability.

A vulnerability that affects a particular website is significantly less valuable than one that affects many websites.

Companies like Google and Facebook actually overpay for vulnerabilities because 1) they're flush with cash and can, 2) it's excellent for goodwill in the industry, 3) it's an excellent recruiting tool and 4) it augments an already strong internal security program.

If you hypothetically tried to go to the black market with this vulnerability you wouldn't even find a buyer. When Facebook patches this, it's useless, and you'd have to derive more than whatever you paid for. At this point it's a betting game - do you think you can earn back $100,000 using this exploit before Facebook catches wind of it?

Conversely, vulnerabilities that are very highly valued tend to affect large numbers of websites in a format that is not easily patched. For example, many websites don't update WordPress often, which means that a vulnerability in WordPress is going to instantly get a CVE and a widespread push for awareness. Even so, it will be actionable for years.

It certainly would be worth more to some people.

For these individual hardworking security analysts, Facebook awarding cash prices of "any real value" is much worth than some news article reporting it as "...simple security flaw...".


A whole $15k? This could have cost them hundreds of thousands if not millions in lawsuits. That's a pretty crappy incentive, I'd imagine a lot less moral security researchers getting exponentially more money out of something like this by just selling the 0day.

I wonder why the reward is so low. This is literally the amount a code monkey gets paid after 3-5 months of work with minimal skills.

On the subject of rate limiting, what is the best way to apply it across all endpoints, APIs and resources, external and internal, with minimal effort?

Usually, I see this implemented only as an afterthought, and only on endpoints deemed 'dangerous', waiting for a disaster like this to happen...

It's a defense in depth scenario but most webservers have modules for it, Apache certainly does as I've used it not sure about nginx still not used that in production.

    beta.facebook.com and mbasic.beta.facebook.com 
Certificate Transparency has an interesting impact on some of the less-public servers.


A host of servers turn up in that list, which may similarly be less security tested than the main facebook.com site.

I'm surprised by the amount of certificate fragmentation these companies have. Why would they use so many different certificate types and vendors? Twitter is even worse: https://crt.sh/?q=%25.twitter.com

I'm surprised an organisation as large as Facebook don't have their own CA, and just don't issue the semi-secret stuff off the record.

Running a CA is a major pain, adds auditing and other requirements that are ongoing pain, and prior to the past year or so Facebook did not issue enough certificates to make the cost worthwhile. Doing this right means adding a lot of logging and access control around a few parts of the infra stack that would manage this, so why not pay someone else to deal with the paperwork and bother? All FB certs are on the CT logs as a matter of policy, so that there are no loopholes in our current statement that if a Facebook cert is not on the CT logs you should not consider it valid; we will accept the loss of secrecy (and people launching new stuff hate it but have learned to adjust) if the end result is making it harder for someone to slide a dodgy cert into the chain.

Anyone know what tool he was using in the YouTube video? This stuff is super interesting.

Looks like Burp Suite. Sweet web proxy tool -- https://portswigger.net/burp/ Free for 14 days I think.

Awesome! Thanks for the link. It looks like they have a limited free forever version as well, gonna have to play with this.

hmm yea my memory might have adjusted it to a trial period -- looks like many of the most useful features are crippled in the free version.

Regardless of this being Facebook or not, but forget to throttle your API and this is what you get, some dude toying around with a tool just to poke holes in your thing, but I digress.

If in any twisted, unrealistic, straight out of Homeland scenario where anyone high profile enough would make use of this "vulnerability" and successfully create a media "splash", and assuming Facebook security team is on top of their game, this would get patched in a week tops. Keeping an eye on average number of requests coming to their API end points, especially sensitive ones, is part of their job, not a nice-to-have. I'd even think this would actually get patched within 24 hours (since the fix isn't really that difficult). I have absolutely no care or sympathy for Facebook but yeah, 15K is a lot for something like this. It's a nice catch, that's all.

Good on Facebook for being so quick to reward Anand and fix the issue.

I would love to know if someone has exploited this bug - should be fairly easy to learn that from logs (this attack is far from stealthy). I guess FB will never tell. :)

Anyone else have trouble with that webpage? It froze my browser (Chrome).

Hacker News: Where comments can be six paragraphs long and say absolutely nothing.

We detached this subthread from https://news.ycombinator.com/item?id=11249116 and marked it off-topic.

As opposed to the rest of the Internet?



Very disappointing comment. Everybody is free to choose to use facebook or not to use it. I chose not to use it, but I do not have the right or any moral obligation to stop others from using it. This guy did not have the right - and fortunately chose not to exercise it - to mess with other people's free choices in life. Besides that, the likely only effect any activity like you are suggesting would have had is that he would have ended up in jail and facebook would merrily continue.

Seeing as it's a brute-force per-account attack, a more accurate title would have been "How I could have hacked any Facebook account". Hacking "all of Facebook" would have been prohibitively resource-intensive for the hacker, and would likely have been caught and shut down before any real damage to the platform was done.

The hacker could of worked with the black market. They could use a botnet to slowly hack a large percentage of FB potentially. Seeing as how they disabled rate-limiting on a pubic facing beta with user data, why assume they would notice brute forcing against beta?

The attack involves resetting the user's password, which would have made the original user unable to access their own account until they reset the password back. After several such incidents were reported, Facebook likely would have cottoned on.

This alone would be enough to permanently cripple Facebook in the eyes of the public if applied "correctly."

The iCloud/Fappening totally wasn't a big deal either, right? /s

Apple wasn't brought down by the fappening.

Ok, we changed the title to say "any" rather than "all".

Surprised that the well-paid developers at Facebook missed this vulnerability. Should inspire confidence on anyone who didn't get a job there. :-)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact