Hacker News new | past | comments | ask | show | jobs | submit login

This was indeed a bug, and shouldn't work any more. We turned off the system that lets you report content through this flow (and thus made this bug's code inaccessible) as soon as we became aware of the issue.

In the future, if you find a security / privacy bug on Facebook, feel free to report it via our whitehat program, which will get things looked at more quickly than random blog posts. You can get credit for the find and even make money with bug-bounty payouts: http://www.facebook.com/whitehat/.

For what it's worth, a few people were alluding to this meaning that we don't check privacy by default. In fact we do have a pretty robust default-deny system for running privacy checks. This was an edge case where it was forced to work in a way that was incorrect.

(I work at Facebook, but not on this system.)




It's still possible to make the request using:

  http://www.facebook.com/ajax/report/social.php?__a=1&__d=1&attach_additional_photos=1&cid=XX&content_type=0&h=YY&phase=6&report_id=1&rid=XX
Where XX and YY can be found by watching the net request made when clicking the initial Report/Block button.

That said, I'm not sure if it is returning private photos, or just photos that are public - possibly you guys have fixed it on this side, not just the front end having links to it, but figured I'd mention it in case not.


Thanks, we'll take a look. In the future you should use https://www.facebook.com/whitehat/ though, as I unfortunately don't catch every HN comment :-).


Figured there was a good chance you'd already know whether that has been patched and only gives results for non-private photos or not, so seemed a potentially easier option :)


It is great that you have a page specifically for reporting security issues. For some companies I had to resort to reporting security issues to the main contact address where it landed at some first-level support guy's desk who had no idea what to do and in the end I gave up and the security hole stayed open.

One thing though: Your bounty of $500 is quite low. I bet this whole incident did/does a lot more damage than that. And to be honest, if I had the choice between $500 and trolling Mark Zuckerberg by posting his private photos album online, I would probably chose the latter option (sans the posting a howto on a forum part).

Disclaimer: I am not a security researcher, I don't even look for vulnerabilities. I just sometimes stumble upon bugs and get curious what other side-effects this bug might cause.


Glad you like it! $500 is actually just the base bounty - I've seen payouts for quite a bit more depending on how nasty the bug is.

At least for me personally, it's not the posting of one person's private photos that is most frustrating - it's public posting of repro instructions so that script kiddies can exploit a bug. That just seems irresponsible.


Knowing about your special page for reporting privacy holes would not change my decision to post it here. I think more good will come when media picks it up and some Facebook users realize that a company with your record of terrible privacy decisions and incompetence should not be used for posting anything private or even at all. If you were a startup stretched for resources or if this hole could've been exploited to install malware, I'd of course attempt to contact you first. $500 for reporting security holes for a company of your size is also insulting, BTW.


The idea with responsible disclosure is that you want to maximize safety of the public by incentivizing vendors to fix problems while not letting malicious actors exploit them: http://en.wikipedia.org/wiki/Responsible_disclosure. Once the vendor has fixed the flaw (or refused to, or taken longer than a reasonable time to do so), it's generally accepted as OK to publish details. You can of course get whatever media coverage you want at that point.

I'm curious - do you think responsible disclosure is a bad idea? Or is the "badness" of this bug small enough (compared to malware) that you think it's better for the common good to publicly post the repro instructions and enable many users to exploit it?

I think having a bug bounty program is actually a lot better than the vast majority of sites / vendors that don't even have a whitehat disclosure program, let alone a bug bounty program. It's worth noting that this is just the base bounty - I've seen us pay out a lot more for good discoveries. $500 is also the base that Google and Mozilla offer for their programs (http://googleonlinesecurity.blogspot.com/2010/11/rewarding-w..., http://www.mozilla.org/security/bug-bounty.html). What would be a good price, do you think? I'm not hooked in enough to know what black market prices are like for bugs like this.


Ah, just realized you're the OP. I don't think there's anything particularly irresponsible about posting an already-public disclosure to HN or other aggregators. It's the first person posting it publicly without first privately disclosing that I find irresponsible.


May I ask for your opinion on the $500 bounty issue that was mentioned?


from http://news.ycombinator.com/item?id=3321366:

> I think having a bug bounty program is actually a lot better than the vast majority of sites / vendors that don't even have a whitehat [aka responsible] disclosure program, let alone a bug bounty program. It's worth noting that this is just the base bounty - I've seen us pay out a lot more for good discoveries. $500 is also the base that Google and Mozilla offer for their programs (http://googleonlinesecurity.blogspot.com/2010/11/rewarding-w..., http://www.mozilla.org/security/bug-bounty.html). What would be a good price, do you think? I'm not hooked in enough to know what black market prices are like for bugs like this.


This was a couple of years back, so maybe the attitude has changed, but... The last time I reported a security problem to Facebook, I got an email warning me about my online activity, telling me that my account might have been hacked, and that my password had been changed as a result. Several weeks later the problem I had been trying to report was still there. I've heard similar experiences from several other people - so even though this guy looks like he was being irresponsible, I personally will no longer report security problems to Facebook because I don't feel like it would get taken seriously, and will probably only inconvenience me further. I'm not sharing this to flame Facebook, I just would honestly like someone on the inside to know this is a problem. I never knew about the whitehat link because all I see on the Help page is targeted towards victims that probably don't know what they're doing.


Shoot, sorry to hear that. I think our attitude has always been pretty good, but the communications channels a few years ago were just not great or easy to find (it sounds like you were stuck on a "my account was hacked" workflow).

We've improved a lot in the last couple years though - we launched the explicit whitehat program in 2010: http://www.insidefacebook.com/2010/12/22/facebook-security-t... and the bug bounty in July of this year: https://www.facebook.com/security/posts/238039389561434.

Feel free to respond here or let me know if you ever run into similar issues with the whitehat program (hopefully you'll change your mind about no longer reporting security problems!).


Well like you said, with an explicit whitehat program, I do think that improves things a lot. The main problem was that I didn't know what to do to not come across as the enemy and/or a nuisance. Next time I find a problem - I'll give the whitehat route a shot - so thanks for sharing.


If people submit via that whitehat feature, do you publisize "XY was possible until 20XX-XX-XX"? I consider that important information.


I don't think we post any details about the exploit, just the fact that someone reported it (see https://www.facebook.com/whitehat). Of course, once we've fixed the bug, the reporter is free to write about the exploit, how long it was live, etc.


I did not mean details about the exploit but details about what the exploit enabled an attacker to do/see.


Yeah, after it's been fixed the person who discovered it is welcome to post details about what it would allow an attacker to do / see / etc.


I think what the OP is trying to say, is that Fackbook (as the custodian of our private data) should make available a list of resolved exploits such that we may be aware of potential data leaks.

Eg - up until today, and for who knows how long, photos you thought were private may have been accessed by undesireables.


Yes. In my opinion a website that is open and honest about its caring about privacy would do that.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: