That kind of bug report is bound to get a very quick triage, followed by a very quick escalation.
But yes, even with that in mind: a 4-hour turnaround is damn impressive.
Obviously not all companies behave this way, but they should!
Media sucks because you* suck.
*The collective societal you, not the particular individual you.
Some might claim they get downvoted because they are "low quality" to which I'd retort why spend a lot of time crafting a "quality" reply when you know it's going to be suppressed?
I even tagged you as 'shitty commenter', which I don't do this too often. But with some commenters I'm just amazed at how they can consistently keep this up without tiring of it.
If he said in a public blog post that it took them a month to fix something so simple, I could see the shit storm aimed at Facebook on social networks (including here), but I highly doubt any user would be compromised.
I'd be worried if any company is not able to understand the problem and publish a patch in a few hours.
git pull; sh tests; rsync /prod/ all@prod:/var/www/
^ That is copyrighted by the way. Ill take a consultant fee. I know - I know it should be thousands of lines of puppet, jenkins, hooks, Kubernetes, Salt, and 2 million lines of python and ELM all piped through Docker containers -- I am NOT an animal.
while true; do git pull; sh tests && rsync /prod/ all@prod:/var/www/;done
those ... those semicolons should be &&
Also, mktemp and shell exit traps are your friends.
The difficult part is having someone who reads the report and escalates it, preferably in a timely manner.
Trivial. That's what Oculus said.
I don’t think that’s the bug here, bug here is the authorization check not being there.
That parameter is trivial to obtain using other ways even now.
Did they notify users whose data were compromised ?
That leaves only 6 digits to guess to obtain a valid card, and you're given the check digit to limit the search further.
First6 will give you ability to know the issuing bank of the card (so an email can be crafted to look like those banks emails). Plus last4 tends to be used by banks as a "hey, we know who you are!" when they send emails.
It is not required for charging a card, it is for reducing fraud.
Facebook was providing:
Yes, first 6 and last 4 are not considered sensitive for PCI compliance. However, like most security standards, the standard is a minimum, not what your target should be.
Given the ability for attackers to quickly guess CVV and the remaining digits, the attack becomes a numbers game. They don't care about _a_ card, they care about _any_ card.
This is why Visa and MasterCard are pushing to tokenize all cards - so the stored information is linked to the merchant storing it and can't be reused.
That's even before we take into account the account take over possibilities since those card details are used by other companies as verification for account recovery. Yes, those vulnerabilities were closed, but that doesn't stop new companies from making the same mistakes.
Yes, it's impressive that they managed to prune the fields so quickly. Shows a very efficient escalation path!
I'm not sure what types of enterprises actually use formal verification since it's very costly. Writing software is much faster than verifying it. Embedded auto, aerospace, industrial applications, sure. Facebook? I doubt it.
Such methods could be useful, maybe coupled with fuzzing, for breaking software too. It might suggest avenues for exploit.
Systems like coq are used more naturally in math proofs, but even there it's very hard to apply.
I noticed how similar the thought process was to GDPR work I've been involved in, where, for example, we can keep track of Last name and Phone Number in our company, but they could never be at rest unencrypted and unhashed in the same system. Or First Name + Job Title + Location but only 2 of those three can co-exist. It seemed like the kind of thing that would have a formal way of expressing. Our GDPR consultants were unhelpful in that.
Kudos to facebook team that they responded shortly, I cannot tell if it was work hours or not, but either way, this is very very short in the context of large corporations.
A: that was fast!
B: that's because it was very serious!
Where is the cynicism? Can it not be summarized as: they fixed a serious issue very quickly?
Sounded to me more like "of course they fixed it fast, this is a serious issue", and undermined the speed it get resolved. Probably my bad.
Most likely a single dedicated person at FB.
Even if the fix was done by one "dedicated employee" , they still belong to a team of people working together. I feel like singling out one person like this is almost rude to the rest of the team.
Even things like bugfixes are rarely entirely creditable to only developers.
Judging by the name of the endpoint, it probably wasn't a super-complicated fix anyway - just disable / blacklist the endpoint that was obviously a mistake / test.
So if somehow their graph api has pulled up my credit card number into their database, that's the disturbing thing...
Advertisement is Facebook's #1 revenue model, its literally why they exist. I wish everyone who's used FB would sign up for a business page and place an ad; it's illuminating to see just how detailed their tools are.
Same with Google PPC and Bing etc etc.
I shudder to think at just how detailed the profiles are that FB, AMZN et al keep on each of its users.
It's how they exist, not why.
I do agree that their data collection is very creepy.
I believe they also used to have a system (maybe they still do?) where you could buy "Facebook Credits" to use on Facebook platform games, essentially microtransactions.
`CSPlaygroundGraphQLFriendsQuery` is a demonstration for Facebook engineers internally to show how to display a list of "oneself's friends with auto-pagination" using GraphQL and ComponentScript inside their Facebook main app
P.S. I don't work at Facebook. But this is something I stumbled across their app.