Are they allowed to escalate access, given the bounty rules?
Also, isn't the periodic collection of login credentials completely out of scope? What I mean is: once the initial vulnerability was located and the pentester got shell access in the system, shouldn't he have stopped there and reported?
In this case, they (correctly) went the other way, which creates even more uncertainty. Given this pattern of inconsistent enforcement mixed with threats, I would feel genuinely unsafe reporting a security vulnerability to Facebook except under very specific conditions. That's probably not what they're going for, but that's the environment they're creating.
What are we supposed to conclude from this? Under the current rules and assuming the description of what happened is accurate, it would seem you'll potentially be punished for establishing the full extent of a breach, unless it's not so bad, in which case you're rewarded for failing. In addition to being illogical and unfair, it also incentivizes OpSec to delude themselves and everyone else about their true security risks.
In the other case, they threatened because he proved the vuln was much much greater, infact I call it a billion dollar bug,and wanted to cover it up.
This time they're proudly telling us because the attempts failed or were not made at all.
As Wes proved, a simple looking RCE can lead to a huge breach of security due to failures in other areas.
I agree that limits must be established, but also, these must not end research so abruptly as they can lead to further information.
One might argue this is unethical, but a black hat doesn't care either way.
It's already a critical vulnerability. Unless you want to assign numbers to the infinity, which is ridiculous.
That's why some get a 10k payout and others get a 2.5k.
I agree that some actions are u ethical, but does that really matter so much when a black hat is unethical anyways? The fact that he reported meant he was harbored no malicious intent.
How is collecting logins better than that? Seriously? This is completely malicious if you ask me.
Moreover, we must not judge each case strictly to the same rule, but with a measure of consideration of the circumstances as well.
No. From Facebook's responsible disclosure policy :
> You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
Both of the pen testers in this situation broke the rules. Once they found a security issue they exploited it and probed for additional issues (as well as one tester who attempted compromise of sensitive company data by collecting logins).
It's good that Facebook doesn't always apply these guidelines to the letter.
"Neither of them were able to compromise other parts of our infra-structure so, the way we see it, it's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access."
From the write-up:
> After checking the browser, the SSL certificate of files.fb.com was * .fb.com …
You left a wildcard cert on this random internet-facing unaudited 3rd party linux box with no protection against data exfiltration, or an HTTPS proxy in front of it, or anything? I know it's not as critical as facebook.com, but this is still bad. Priv escalation CVEs for Linux come out like every month.
At the very least, using this cert, anyone could run a MITM on any * .fb.com service and compromise without ever breaking in. From the article that could include VPNs, Outlook Webmail, Oracle E-business and MobileIron. I'm hoping you did actually have a proxy in front of it and Orange just didn't catch that.
That sounds a lot more reasonable than actually having the private key on each individual server.
The article claims those are tfbnw.net, not fb.com.
That's a big assumption
So they were grabbing creds, but it's ok it was just a researcher? Pretty sure that's crossing the line and indicative of an actual compromise of employee credentials.
Seriously, don't do Facebook. Not even once.
(Speaking of which, I just got script-hacked like this few days ago, and I think it's finally time to dump Wordpress and migrate to a static blog...)
Aside on self-hosting: This reminds me a lot of the self-driving car accident debate. Self-driving cars could be thousands of times more reliable than humans, but unless they are mathematically perfect, some people feel safer driving themselves because they feel they are in control. Nevermind that Google/Facebook etc have millions of man hours invested into security.
In essence, it's an economic argument, not a technical one.
I don't see how this is true at all. Most people don't care/know about security. See Wordpress. Many companies don't take security seriously, there are many open mongodb pointing to the outside world - HackingTeam, a team chockfull of blackhat hackers, was partially done in by sloppy authentication and passwordless databases.
Today, when people run their own server, it doesn't seem the incentives are properly aligned at all - and given that even blackhat shops don't even take the time to secure their own systems properly, the economic argument falls flat.
It's been tried, again, and again, and again, and it fails for the same reason all such projects fail - the only people who care about this architecture stuff are those who are geeky enough to be running their own decentralized services.
Heading off the inevitable response: Email is not a social interaction service, it is a message passing service that happens to have social uses.
These arguments always remind me of people claiming that certain professions are not paid enough. They forget that there is a market for labor and in this case the labor is finding vulnerabilities. People will either be willing to work for the posted price or not. In the case of pen testing facebook I'd be willing to bet there are plenty of people out there looking for bugs who aren't even really concerned with what the final payout is going to be.
Yeah, they could have gotten completely owned if he didn't report this. But to him reporting it and getting 10k in compensation was sufficient. Why would facebook pay him a million if he was willing to take 10k?
Clearly the bounty was not enough for the mystery attacker / researcher / hacker / whatever that Orange discovered exploiting the same hole.
Seems more likely that Facebook wasn't thrilled that Orange included the details of an existing, unknown Facebook compromise in his write-up.
I would imagine that the latter of the two is almost always willing to pay more. I would also imagine that by the time you're a skilled pentester, you're in your mid-to-late thirties and maybe are worried about how you're going to put your kids through college, or how you're going to retire.
So what do you do? Do you take the larger sum of cash and plague yourself with worrying about bitcoins, how you're going to lie on your taxes, and deal with the ethics of helping shady organizations?
Or do you help the company? Now you don't have to lie on your taxes or launder bitcoin, but you do have the pressure to find more security problems to make enough cash to meet your financial needs.
And the ball is solely in the court of the companies running bounty programs-- if they were to always provide more money than the black market, there's virtually no reason to bring it to someone else.
I don't think it's unreasonable for them to not want to give away more than they have to, but I get the sense that there's little to no negotiating power for the vulnerability finder-- and they should probably work on that.
The reason is that for a vulnerability to be worth money, someone needs to have a business process ready to go to monetize the vulnerability. Without that proven process, a vulnerability is just like any "Show HN" without a business model or revenue.
There are certain kinds of vulnerabilities --- browser code execution, most notable, but a couple others --- that organized criminals have whole businesses set to drop in and run and make money with. If you have one of those vulnerabilities, you've got lots of takers for it, and the prices for those vulns are nosebleed high.
There are a few kinds of organizations that will pay for a Facebook serverside RCE. Good luck finding them. Or, I should say, not finding them. Those same organizations will kill you and your whole family just to make a point. That is, after all, the only reason they want to buy Facebook serverside RCEs.
The argument these comments are making is that this report should qualify in some way for a higher payout.
I'm not arguing for either side here, just noting that the comments that you refer to are fairly reasonable.
You forget that no assertion of values makes sense when divorced of context.
A little more seriously, somehow we have to find language for different types of coercion. Otherwise we'll end up lumping the whole complicated world into one lump.
The bottom line is that the dollar value for this stuff is arbitrary, and Facebook arbitrarily picking $10,000 for getting COMPLETELY OWNED and exposing any selection of personal data (in the case of the other bug, this one seems to have the potential to be even worse due to credential stealing, although it's murkier) is pretty gross IMO.
I don't know what the number should be - again, it's arbitrary - but in my personal book $10,000 is about 10x too low.
I agree this one is murkier, although at first glance the proxy method employed by the "mystery adversary" seemed promising for privilege escalation.
You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.) 
It's no wonder other bounty researchers didn't find further vectors for exploiting their privileges. There was a researcher not too long ago hit by the book for this.
Dumping directories from machines and banking their creds isn't "escalating privileges". If you did that on a pro red team project, saving the creds to use a month or two later, you'd get fired.
I dug up the mentioned case, and FB's first contact with the researcher included, "Please be mindful that taking additional action after locating a bug violates our bounty policy." Between FB's whitehat policies and that, I'd be pretty sure not to escalate privileges.
This suggests two related questions, 1. how does buying vulnerabilities reduce the risk of a malicious use of a vulnerability and 2. by how much?
I suggest two answers for question 1:
First buying a vulnerability and then patching it prevents that vulnerability from being used by an attacker. It only makes sense to do this if vulnerability are very rare, since the more rare they are the greater the benefit of fixing them.
Second someone who discoveries a vulnerability might have a human urge for recognition and/or payment. "I did the work, I deserve some credit/payment". In this case facebook is competing with the vulnerability blackmarket, but facebook has an inherent advantage (all things being equal a legal dollar is more beneficial than an illegal dollar and you get bragging rights which has both intrinsic and monetizable value).
I have no idea how to answer question 2 as it is quantitative. Perhaps an economist has written pricing models for bug bounties and how this should impact cyber-insurance premiums?
For the love of me I could not imagine what implication o huge hack into facebook could have on the civilized world. Imagine someone has a database of all emails with all activities all connections, on everything everybody in America Europe and Asia does.
The ability to spam people into oblivion would be just a tip of an iceberg. Most likely countries like UK or Germany would ban facebook altogether. Not to mention there are millions of active credit cards stored in their wallets. The implication of a hack at that scale would mean hundreds of millions of dollars spent on only printing new plastic cards for affected cardholders.
For $10,000 you cannot even buy a modest 80" TV... I am disappointed how little FB values their system to be secure, but oh well... who uses FB anyways /sarcasm
You haven't given any real refutation to the comment linked by the parent. How qualified is your opinion? You're entitled to it, but know that most bug bounty participants and members of the actual security industry disagree with you.
And I'm reasoning from economic first principles, not experience in the field. From first principles, I don't understand the argument that $10,000 is fair. At least, I don't understand that argument any more than why $10 is fair - which is my point, that it's arbitrary. And in my arbitrary opinion, $10,000 is grossly low compared to the relative work involved and money at stake.
The FBI just paid $1M to access one guy's iPhone. The vulnerability in the linked discussion, which was guaranteed access to any FB account, was a $10,000 bounty. IMO those numbers need to be a lot closer together.
For example, if there was a 1% chance of discovery, and a 50% chance of the person discovering it using it as an exploit, and it cost them 1 day of revenue ($50m) and they used a discount factor of 10%, that would indicate that the bounty would be worth about C * D * E * F = $25k.
If it's likely that the exploit would only last 5 hours, then $10k is a reasonable bounty.
That itself is pretty vague to determine as a hack could have an impact on reputation and the impact might not be limited to just one day. Future users might be afraid to use the product, current users might leave in few weeks.
The only vulnerability worth $15,000 or more is one directly impacting a language, a widely used development library/framework or a widely used piece of software."
I think that statement might apply here given the FTA issues. Hackers could've gotten plenty mileage out of it. Especially if others at Facebook, like their AI team, used it for something that's a trade secret. That's speculation but it's not like hacking a news feed.
Many possibilities. This was worth way more than $10,000, though, given it detected a subversion. I'd have applied the consultant to a few other areas of my operation given the aptitude.
Part that jumped out at me, aside from obvious goodies, was this:
"FTA is a product which enables secure file transfer, online file sharing and syncing, as well as integration with Single Sign-on mechanisms including AD, LDAP and Kerberos"
"...web-based user interfaces were mainly composted of Perl & PHP... PHP source codes were encrypted by IonCube... lots of Perl Daemons in the background"
Wow. That inspires a lot of confidence in the "secure" product. I'd have doubted Facebook relied on such a system had I not known they built their empire on PHP. We all know its reputation. Their "secure, file-transfer appliance" fits right in.
Shameless plug but if you like that kind of articles I suggest signing to my newsletter: http://bugbountyweekly.com. A free, once–weekly e-mail round-up of news and articles about Bug Bounty.
This also points out a weak area in our knowledge of hacking - how often does a given exploit get rediscovered? This and other anecdotes show that it happens at least once in a while. Prevalence of rediscovery could put lie to the NSA's "NOBUS" assumption, though. So we're likely to never see the results of such research.
It would certainly require the attacker to be a little more proactive, but it would hardly stop the credentials from being useful.
With the passwords, however, he might have gotten access to the VPN or services. 2FA would have certainly helped.
This is of course only interesting if the passwords were reused (even the most security minted folks do that). If a third party vendor does not support 2FA, or when dealing with legacy code, it believe it is good practice to only use randomly generated passwords by password managers.
Looking at how egregious their security mistakes are they dont appear to take security seriously.
This is the same company that (last I was down there) had a billboard on 101 that says "Secure".
Many echos of oracles "unbreakable" ad campaign while being an aggressively bad at security company
How does setting up a shell and collecting credentials and then downloading them later give you a pat on the back?
Is this some kind of a joke?
The person who had problems with Facebook didn't "pivot laterally".
He popped a shell, dumped and banked directories from the server, held them secretly, and used their contents more than a month after reporting the bug to Facebook as a cudgel in a dispute over a bounty.
(b) Please don't accuse me of commenting in bad faith. I don't care whether you use a calm tone of voice or not. It's especially weird to be accused of being in the tank for someone by an anonymous account.
(c) If I'm really incorrect, you should make an actual argument, rather than a drive-by snipe.
I humbly submit for your consideration that my assumption of you making comments in bad faith is not unlike yours and Alex's assumptions of bad faith on the part of the researcher, and perhaps we could all improve a bit here.
Snipe aside (which was fired at facebook, not you), I am genuinely confused about their ambiguous policy, and it looks like other commenters are too.
I don't think Wes acted in good faith in that one but neither did Facebook in anything privacy-related. Who cares about fundamental ethics given parties involved. I will say his actions were nearly warranted if Facebook was promising huge bounties for something that could cause them big problems which that case seemed to be from that thread's comments. I don't know for sure.
Far as escalation or downloading data, I found that to be the only way to get taken seriously by management. Had to be done non-disruptively with trusted personnel, protection of that data (eg RAMdrives, crypto), and assurance it was gone after. Rarely even read it as filenames & credentials were enough. Nothing like showing marketing plans or private emails to execs with a contract that's vague enough for it to be legal to get security taken seriously. Responsible disclosure debates of 90's showed us that letting vendor decide almost always resulted in them downplaying risk saying it "hypothetically" could do something but probably overstated. People playing that game usually get bounties that yearly add up to less than a median IT person.
Rather not play that game. If the company bullshits, do what you can within their legal framework to call them on it and provably without doing any damage. If they didn't in that case, then he went way overboard and looks like he's running an extortion racket. I think key parts of the story aren't published and I can't be sure. Good news is Facebook and Wes both of don't mean shit to me. Moving on. Appreciate the entertainment and different perspectives, though. :)