Hacker News new | comments | show | ask | jobs | submit login
How I got a $3,500 USD Facebook Bug Bounty (detectify.com)
145 points by fransr 1755 days ago | hide | past | web | 43 comments | favorite

I submitted a report to facebook about privacy setting circumvention. Didn't receive a response. Didn't receive a bounty. Facebook DID fix the bug after some months.

Feel a bit cheated that a billion dollar company couldn't take the time to respond... if I had the time I'd follow up with them.

I'm very sorry you had this experience. We would never intentionally ignore a legitimate bug report. If you could send me a message (link in profile) with the e-mail address you used, I'd be happy to get to the bottom of this.

Bummer to hear, I too reported a privacy setting circumvention, and I did receive compensation. I think a big part of it is being the first person to report the error.

To report a security or privacy vulnerability to Facebook use their Report a Security Vulnerability form: http://www.facebook.com/whitehat/report/ Anyway else and you risk your report not being received.

I did.

This is why we have "Responsible Disclosure". Basically if you make a good faith attempt to tell the company in private, and they do nothing, it is then not wrong for you to publicly release details of the exploit. This tends to get their attention.

Probably wanted to avoid more flack related to privacy concerns ...

In that case they should have expedited a cheque in the mail. I thought they are offering money so we aren't tempted to sell it to malicious parties.

Whenever people teaching others about security mention XSS, I've always wondered does it really even happen in the real world? I'm sure everybody escapes their input.

Turns out there's a reason XSS is so often mentioned. Even Dropbox and Facebook fell prey to it (although in this case the input wasn't from the web, but rather from their desktop application/service partner).

> I'm sure everybody escapes their input.

That's the fundamental mistake. Don't escape input, escape output. If you're interpolating values into queries, that's an output that you need to escape for. If you're sending data to a browser, that's another output that you need to escape for (with different escaping rules).

It wasn't so many years ago that xss wasn't on anyone's radar (just like sql injection years before that). Over the years I've worked on dozens of sites that were exploitable via XSS (many older ones that probably still are).

It's easy to get wrong - especially when you look through the list of different subtle ways you could mis-escape something [0].

The only thing protecting the majority of sites is that exploiting them just isn't desirable.

[0] https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_She...

I recently found a pretty simple one on https://accounts.google.com/, which is arguably Google's most valued domain. I believe XSS is the most common vulnerability these days. One doesn't even have to be able to inject javascript per se. Only a CSS style is enough in many cases.

The bounty for that page is ~$10k or such, no? Did you get anything?

Actually it is $3133.7 (eleet). I got it, of course. The security team at Google is, simply put, awesome.

The problem I see is that if you aren't using a templating engine which automatically escapes things, people will make mistakes. Even then, there's times that you need to output raw HTML and perhaps end up forgetting to escape the part that was user input.

Yes, even with just PHP templating, you still would need at least wrapper functions around things like

print htmlspecialchars($input, ENT_QUOTES, 'UTF-8');

Otherwise, yeah, someone will miss one instance and that's all it takes. One attack vector.

well PHP doesn't really handle it for you so you do have to call the function yourself. If you look at something like Razor for ASP.NET MVC, everytime you output a var (i.e. <span>@Model.FirstName</span>) it will automatically escape it. If you do not want to escape, then you need to call Html.Raw instead. PHP defaults to not escaping while it really should to make XSS less likely.

A few years ago, I found a simple one on the apple.com store. No bounty, but they said thanks in an email! :)

Yes. And SQL injections are still #1 followed by code injection as #2 app vulnerabilities (I believe that's from last year but I wouldn't expect changes). XSS is up there. Why not? It's so easy and there is no excuse for any of this. None. Period.

Props to Facebook for being so responsible about fixing this bug. After seeing so many blog posts about companies not responding to emails from whitehats finding XSS vulnerabilities (http://www.troyhunt.com/2012/08/why-xss-is-serious-business-...), it's comforting to see someone take such reports seriously.

This is the point of responsible disclosure. Tell the company, wait a week or whatever, if they do nothing, then it's ethnical for you to tell the world.

I bet Blackhat Vulnerability Program would've payed lot more.

For XSS? No.

With CPA + FB traffic on such a large scale, one could easy make $50k+ in a week with multiple CPA networks.

Knowing what little I do about the market for browser code execution vulnerabilities, I am very skeptical that there is a black hat market that pays 5 figures for XSS.


If you have evidence of a market that pays 5 figures for XSS, I'd sure be interested in hearing about it.

Of course it would. That's the idea of blackhat.

That goes against some people's conscience and they would find it immoral to do the wrong thing.

(i.e. you won't get that warm fuzzy feeling of doing the right thing with the blackhat market)

Do they give you a CC number you can use as much as you want?

Yeah, the OP is a really nice person. Because FB doesn't deserve this, not for $3.5k, maybe for $35k but more for around $350k to $3.5m. Guaranteed by contract.

lol.. I found a bug in paypal which allowed me to transfer funds from one account to another, even though this was prohibited.

I got nothing. Maybe next time I'll just post this stuff for random people on twitter to find

Wauw, so all that happens if you save dropboxs ass is that you get a special mention on their special page that very few people know about?

Why even bother to tell them then?

The security community has curious norms for social status, when viewed from the outside. This is true of many communities. (A brief sampling: karma on HN looks crazy to Japanese salarymen. An open-floorplan desk closest to the window looks crazy to an American academic. "Your name, in small print, first among three names in a dead-tree publication that no one reads." sounds pretty crazy to most HNers.)

There's very curious mating rituals for selling security consulting. Ask Thomas for the specifics -- he's far better versed in them than I am. Suffice it to say that "I owned X -- here's proof" is very much not of zero value while you're doing that dance.

Well, one obvious answer would be, "don't bother to tell them".

Of course, it's hard to think of what else you might do with a Dropbox web finding. I sort of doubt there's a liquid market in Dropbox vulnerabilities. For one thing, vulnerabilities that do have markets tend to have patch lifecycles longer than "instantaneously fixed as soon as target finds out about vulnerability".

You can also choose to publish on your own website. This buys you not a whole lot more than just informing Dropbox, except to signal to the professional market that you will go out of your way not to help people like Dropbox when you find a bug.

Nobody in the whole wide world is obligated to do free research for Dropbox. That's not what pages like these are meant to imply.

Thanks for the illumination. I don't have any specific issue with dropbox, I am just tired of doing free work for coorporations in return for a small increment in some integer in some databse (hn, reddit or /. karma) when that. Increment isn't worth either money nor is going to get me laid.

"Why even bother to tell them then?"

Believe it or not. There is also the aspect of civil courage, one willing to protect the others from potential harm. Detectify was born out of the frustration that an overwhelming part of the internet is completely unsecure for users. Usually completely unaware users.

Analogy: It's like you walking by a leaning scaffold with people passing under it. You realize that the scaffold is just a hair's breadth from rambling down, potentially harming a bunch of people. Bounty or not, you report to the authorities or the hard hats. Don't you?

Co-founder @ detectify.com Happy to be making a buck while hopefully making the interwebz a safer place ;)

Being on the thanks page looks great on your Résumé, which can land you a nice, high-paying job.

They also give you a pretty large amount of storage for life.

wait facebook has like millions of bugs -.- though maybe UI glitches aren't considered bugs

I submitted an error (and a solution) in their open graph docs that caused a bug if anybody copy/pasted the code from their site. The error was fixed within hours, however I never got any money or even an email :(

It's more of a "security bug bounty". I'm sure they appreciate your fix, but that's not really the point of the program. ;-)

(This is quite clear from http://www.facebook.com/whitehat/bounty/.)

Publish it afterwards!


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact