> Bug bounties are supposed to represent a high probability payoff of a lesser amount of money for finding a bug. This is in comparison to going the black hat sales root, where probability of sale might be lower, but the payoff might be higher. I can imagine one or two state actors who might pay top dollar to have keys to the kingdom to a major social network. (https://news.ycombinator.com/item?id=10756159)
Expected payout = (Probability of reward * size of reward) +/- any additional value I put into who I'm selling it to.
If I have an exploit that gives me a lot of access to Facebook (or any other large company) I have to run that formula for each entity that might pay me for it- Facebook, the NSA, the Chinese Military, and so on down the list. Facebook is offering high probability for a lower payout. The NSA might step up their game and start offering ten times as much, or make it more clear that they will indeed pay you for it (not that I have any proof they'd do such a thing).
Make no mistake, Facebook has probably done this math very carefully when choosing a bounty.
Having worked at several similar companies, I'm guessing it went like this:
"How much should bounty be? Is $5K good?"
"Wow, that's nothing. At least make it something meaningful like 25 grand."
"Yeah....that's gonna be tough. How about split the difference? $15K"
There is not a good, reliable way to make money from Facebook account takeover. You can conceive of them speculatively, but that is not the same thing as knowing you can execute, or, better, already having a business process in place that is already executing, just waiting for a new bug.
I worry that people are too obsessed about the hypothetical specter of tremendously skilled and bored black-hats who will ruin lives for fun, rather than for a pay-off, e.g. ZF0.
I'd assume having $15k to spend is a lot more fun than any enjoyment one could have by hacking someone's facebook account.
You'd have to have a real vendetta against someone to value ruining their life at $15k.
15k is actually cheap when compared with the costs of a private eye, a biker gang or a contract killer.
You're thinking about it wrong. There is no opportunity cost in their worldview, just lulz to be had at the expense of people they deem worthy of ruination.
(I never said the people that live in the intersection of trolls and blackhats are great at financial or career planning, after all.)
Translation: "Show us what you got and then we'll screw you over."
Sounds like you're less likely to get screwed by an escrow service found on TOR.
> Facebook's security team is one of the strongest and most sophisticated of any company
If that is true, how come they didn't catch this relatively obvious glitch discussed here.
As for 'obvious', hindsight, yada yada.
Not to mention the possibility of selling the same thing to multiple black hat buyers.
" Do you have a facebook account? Name a friend, and I'll prove it to you "
Or were you thinking that they would try to bust you for illegal hacking instead?
"When we have a client that wants a zero-day vulnerability for whatever reason, we don’t ask, and in fact they wouldn’t tell us,” Mitnick tells WIRED in an interview. “Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.”
Attacking others who use the software is an entirely different story of course.
If people enjoy doing it, or it makes sense in their currency or situation, awesome. The payouts don't get me excited though.
That's the market though. People who think it's too cheap don't play the game, people who think it's good money do.
Like you said, that's our market, but when working on a global scale, you have to consider pretty much everyone.
Let's examine the facts:
1. A Facebook vulnerability is dangerous to Facebook. A WordPress vulnerability is dangerous to a quarter of the internet. Facebook is not a high value target, relatively speaking.
2. A Facebook vulnerability will be patched once it is widely used. Facebook's security team is one of the strongest and most sophisticated of any company, and their processes would quickly catch this once it was used. The total impact of the bug would be negligible. You'd lose the ability to compromise accounts as soon as you tried to do it in any meaningful or lucrative way.
3. A vulnerability in Facebook might last a week before being patched, but a vulnerability in PHP will persist on the internet for years. No matter how many individual sites patch their servers, you'll still be able to pop a lonely server with social security numbers chugging along in a closet somewhere.
There really isn't much more to say about this. People claim bounties awarded by Facebook/Google/et al are undervalued every single time a bug bounty hits the front page of HN. Every single time, someone who is in the security industry patiently explains why it's not that valuable.
If someone tried to go to a blackhat group or go to the "black-market" (a shadowy, lucrative place that never seems to be very well-defined in these conversations), he would not even be able to find a seller, let alone one who would pay a lot.
What do you imagine someone would pay for this on the black-market? They'd need to profit from it. How much profit is worth their time?
Say they buy it for $20,000. Do you really think someone will derive $20,000 of profit from this before it's caught and patched by Facebook?
The only vulnerability worth $15,000 or more is one directly impacting a language, a widely used development library/framework or a widely used piece of software.
For further reading on bug bounty valuation:
For example, if you wanted to monetize it, I have to imagine TMZ (or someone even less scrupulous) would pay a lot of money for dumps of A-list celeb and athlete Facebook accounts.
You don't think Facebook having "The Fappening Part 2" on their hands is worth more than $15k to prevent? Or having every US Government FB account simultaneously posting ISIS propaganda?
The PR for any number of scenarios like those would be an absolute nightmare for Facebook.
People don't pay top dollar for speculative bugs. I'm sure there's some horrible market somewhere for stolen celebrity photos, but it generates a pittance compared to the people who harvest and exploit popped desktop computers.
It's not enough to imagine some way you could profit from the bug, for the same reason that you can't make 100 million dollars simply by coming up with the idea for an interesting startup. A viable exploit is just one part of the technical and business work that goes into profiting from a vulnerability. All the work, together, has to add up to less than the value of the exploit.
Moreover: pretty much nobody is planning out elaborate criminal enterprises based on Facebook bugs, because every one of those bugs takes a different form, has a different likelihood of discovery, and has a different payoff.
Facebook sets the price, not the market. That's why the speculative value of a bug should be relevant, not the practical value. If this guy were allowed to openly market his bug to all parties, it would be guaranteed to be worth much more than $15k.
The price to Facebook is totally arbitrary. They could pay this guy $10 and it would still be fair under your position, because it's better than the alternative of committing a felony by finding someone to outbid Facebook.
But the rest of your point? Yep. Sounds about right. Though I don't think it's quite fair to say that "Fb sets the price, not the market", since Fb is the market for these bugs.
Also, about the "Facebook's security team is one of the strongest and most sophisticated of any company" mantra, even a mediocre strategist after knowing at least something about his opponents can improve his attack based on that knowledge. Assuming a modicum of surveillance on traffic dynamic from Facebook security team's part, this may translate into hiding the signature of a brute-force attack by spreading it into space (using a botnet) and time (spreading out a little each individual trial), or into a more elaborate method.
Actually, you didn't limited yourself to "black hats that target Facebook", you put "he's right" tag on a pretty broad range of remarks! One of them was about the Facebook's super team of security experts (which I answered to, so I'm not sure what goal post moving you've seen, BTW), and another remark was "he would not even be able to find a seller, let alone one who would pay a lot" which I'm not sure I understand from which angle are you looking at things by concluding that "he's right". Let me elaborate a little bit. That bug had enough potential to power an account hacking service derived cash flow for unspecified number of black hats, as the way anyone in possession of something valuable would first and foremost try to use and only secondly - to sell, you know? In such context his remark doesn't even come to make much sense, so I'm not sure how "he's right" in your view.
I've read again dsacco's post and I see another nonsensical remark: "The total impact of the bug would be negligible." How do you judge the impact of the said bug? Would say, disrupting somewhere the digital social connections between some political figures and their mass of followers so they'd loose contact for a while (exactly when it maters) count as "negligible"? Let's stop talking about pranks around TMZ, let's talk about the most lucrative possible cases here. And all this in itself becomes possible because Facebook is a high value target (another fact dismissed by dsacco, whom you consider to be "right").
Finally, about "none of them will pay $15000, or even $500, for this or any other Fb bug" - if right now, it would so happen for me to be willing to pay for a Facebook account hijacking method those $500 (which BTW is a tempting figure), what value would this conviction of yours still hold?
What 'dsacco is saying is essentially factual. The places that buy vulnerabilities don't buy Fb account takeover bugs.
You might find someone in --- another part of the world, let's say --- who would offer you a couple thousand for that bug. You should know, if you're ever in a position to make that deal, that the person who is buying it from you is willing to kill your whole family to make a point, because that is the reason they are buying the bug from you.
But you aren't going to find that person, any more than you're going to easily find someone to sell a portable antiaircraft missile to.
No, it would be just an (admittedly shady) business investment.
"What 'dsacco is saying is essentially factual. The places that buy vulnerabilities don't buy Fb account takeover bugs."
You either didn't read my post or you are deliberately ignoring it. dsacco was wrong on so many aspects and so were you when supported him, as for what you're doing now... I'm not sure what to make of it!
Yet you did it anyway! :)
Actually, he did begin by responding something useful to what you've written.
In the real world, vulnerabilities are sold to blackhat groups who want to make a profit by attacking as many websites as possible. Generally, these websites will have valuable credit card or other information that can be stolen from a compromised server.
Compromised user accounts (not even the server! just users!) on a single website do not constitute a valuable target.
The idea that TMZ would pay a significant amount of money for this is a Hollywood plot, nothing more. Vulnerabilities are not valued highly just because you can come up with a contrived scenario in which it would be valuable to someone for some reason.
This is a market, and like any other market there are buyers and sellers who dictate supply and demand.
That statement is just plain wrong. With over a billion Facebook users, surely some of them are high-value targets.
(Valuable != "immediate drop-in value")? So, he's saying the accounts aren't valuable, but they have value? The subtlety is lost on me...
Actually, you say the info has "a use"... does that not directly imply worth?
Imagine going to a tech trade show and setting up a stand for your lumber business. What you're selling has value and is useful, just not to the people you're trying to sell it to.
Edit: My intent was to understand your perspective (and argue...), but this comment goes over my head, and it seems as though it was a thinly veiled insult.
Not sure if you read Cryptonomicon, but there's a part there where Randy Waterhouse finds a crap load of gold in the middle of a jungle and then rationalizes that there's no easy way to get it out of there, making it worthless at that moment. That gold has value, but no liquidity.
If done intelligently, this is incredibly difficult to trace. There is risk (rather than a straight-up sale), but the expected returns are probably an order of magnitude higher.
It would likely be far cheaper and easier to execute something like this via social engineering than using an actual exploit. I'm reminded of the time Twitter user @m had his handle stolen because Apple gave up some personal info.
Given that there are likely 100s if not 1000s of FB users who may have access to Bloomberg/AP/NYTimes official page, figuring out in an automated fashion of who can be easily socially engineered isn't likely worth 15k.
The first example that comes to mind, "an organised trade in confidential personal information"
Just because this isn't the typical mass vulnerability SQL injection or XSS attack on a major framework doesn't mean it's basically worthless ($15k or less).
The amount of damage that could be done to Facebook's reputation is enormous, not to mention the value of the information that could be stolen.
Obligatory quote from Kanye's newest album 'The Life of Pablo':
I had a cousin that stole my laptop that I was fuckin' bitches on
Paid that nigga 250 thousand just to get it from him
Go try to sell an IBB bug.
Step two: hack into Tim Cook's account (no idea if he uses FB)
Step three: publish rant about Apple rotten ideoligies/he quits
Step four: see APPL lose value for a day until this shit is sorted
Step five: profit
Or something like that
Step 7 - get out of jail and decide doing far less risky illegal stuff has a better expected payout.
It all really depends on how fast FB can service the requests and how long it takes for them to notice and shut it down. Push your priority list off to a worldwide farm and watch the accounts pop out.
How long until FB would have it shut down and the affected accounts locked out?
It won't matter if everyone can get the latest version of Facebook if no one is willing to use it anymore.
FB is publicly traded at very high volume. You can make very large bets on its movement without being noticed. A hack of 10 celebrity facebook pages could probably drop the stock 5% in one day. You'd probably be able to make at least 20 to 1 on your money using options. The right organization could clear millions.
1. It is way less easy to predictably and profitably swing Facebook's stock than simply by hacking 10 celebrity pages.
2. For whatever reason, including the fact that crime rings premised on manipulating stocks have an annoying tendency to get caught, nobody is running this "hack Company X while sorting their stock" scam, and so even if it's possible to accomplish, the market doesn't value it.
Bounties should not only be higher than what you can get on the black market. They should be high enough to make security experts spend their time trying to win them. Given probability of finding a bug with such impact, it is just not worth the time of any decent white hat (in terms of financial gain, sure it's nice to brag about it and that I believe is the biggest motivation).
Money wise, for Facebook, it makes zero difference if they pay him that much or 5 times more.
This is precisely my point. No, he couldn't have. I outlined why in the comment you responded to.
>> Money wise, for Facebook, it makes zero difference if they pay him that much or 5 times more.
Leaving aside the fact that it obviously doesn't literally make "zero difference," should companies decide to pay more for things simply because they can afford to?
I can absolutely think of a situation that would make access to one person's facebook account worth way more than $20,000. Say, an unethical high-profile divorce lawyer fishing for information that would help during a multi-million dollar case. Or a political activist trying to dig up dirt on a candidate.
Uh... is this the advice you give your customers?
I think you got this wrong, Facebook is not the target, their users are. Which reminded me of "If a service on the Internet is free, you are the product"
Also, I can personally live for a year on that kind of money. But that's another issue.
On the other hand, that is maybe what they would have payed for a real audit of a few days/weeks and it's not even sure the vulnerability would have been found (especially considering the size of Facebook). So yeah maybe they also deserve more.
And who knows if this was already exploited in the wild?
$15k is nothing at all compared to the scale of this issue...
Really? For brute forcing an un-rate-limited endpoint? I doubt it.
But you're right, he might have just got lucky. The one fish in a school of 100,000 who finds the hole in the net probably isn't smarter than all the other fish. But that just strengthens the argument that companies should reward very generously for these exploits, because increasing the number of white-hats looking for them is a good way to ensure that they get found by one.
https://www.facebook.com/whitehat/thanks (listed 2015, 2014, 2013)
Very nice find: super simple but super effective. I'm glad Facebook paid up promptly.
I am disabled and struggling if I miss payments I go homeless or can't pay my bills and things get shut off. For me 2FA might not work if I am down on my luck.
They need a Firefox extension but its allowed me to do 2FA on my personal and work accounts without fear of being totally locked out if I loose my phone.
A vulnerability that affects a particular website is significantly less valuable than one that affects many websites.
Companies like Google and Facebook actually overpay for vulnerabilities because 1) they're flush with cash and can, 2) it's excellent for goodwill in the industry, 3) it's an excellent recruiting tool and 4) it augments an already strong internal security program.
If you hypothetically tried to go to the black market with this vulnerability you wouldn't even find a buyer. When Facebook patches this, it's useless, and you'd have to derive more than whatever you paid for. At this point it's a betting game - do you think you can earn back $100,000 using this exploit before Facebook catches wind of it?
Conversely, vulnerabilities that are very highly valued tend to affect large numbers of websites in a format that is not easily patched. For example, many websites don't update WordPress often, which means that a vulnerability in WordPress is going to instantly get a CVE and a widespread push for awareness. Even so, it will be actionable for years.
I wonder why the reward is so low. This is literally the amount a code monkey gets paid after 3-5 months of work with minimal skills.
Usually, I see this implemented only as an afterthought, and only on endpoints deemed 'dangerous', waiting for a disaster like this to happen...
beta.facebook.com and mbasic.beta.facebook.com
A host of servers turn up in that list, which may similarly be less security tested than the main facebook.com site.
If in any twisted, unrealistic, straight out of Homeland scenario where anyone high profile enough would make use of this "vulnerability" and successfully create a media "splash", and assuming Facebook security team is on top of their game, this would get patched in a week tops. Keeping an eye on average number of requests coming to their API end points, especially sensitive ones, is part of their job, not a nice-to-have. I'd even think this would actually get patched within 24 hours (since the fix isn't really that difficult). I have absolutely no care or sympathy for Facebook but yeah, 15K is a lot for something like this. It's a nice catch, that's all.
The iCloud/Fappening totally wasn't a big deal either, right? /s