Good work. I see a lot of people are surprised at the amount received for this report. Yes, that is typical of both Facebook and Google (and to a lesser extent, Yahoo will pay large sums for particularly bad bugs). They are extremely generous - Facebook recently paid $5000 for a bug report that existed in their careers portal despite that infrastructure being entirely third party.
If anyone wants to try and replicate this sort of thing, consider this: the mobile applications (touch.facebook.com, iOS/Android apps) that Facebook use very often take advantage of legacy api calls and code that the main web application has long since disposed of.
A well known researcher, Stephen Sclafani ('ssclafani) receiced a bounty of $25,000 for arbitrary account takeover using the legacy api.
Legacy code is generally the first place to look for vulnerabilities. Legacy apis which are still allowed to exist for backwards compatibility are prime areas to search for bug bounties.
Another good place is at edges of systems, particularly where they rub each other in fraught ways. What's the rule that says that computer systems invariably take on the architecture of the organizations that make them? You can predict Terrible Code Exists Here by getting a list of team names from the target (trivial -- use LinkedIn or ask anyone who works there) and then figuring out where those teams have shipped half-assed worked-on-my-machine glue code to tie their systems together.
A common example: any handoff between a marketing site (or email) and a SaaS app more complicated than "Clicking this unchanging link takes you to a login form" almost certainly involves two teams and was somebody's perceived least important thing to do that day.
I think this post is a hoax. A lot of things don't add up.
I thought there would be more interesting security posts and this is the only post on the entire site.
The site was registered just 2 days ago, see http://www.whois.com/whois/7xter.com . Then if you search on Google for the email that registered the site (laksshmanan51@gmail.com) you get this http://apnahindisms.blogspot.mx/2014/09/bewafa-shayari-in-hi.... that has "You can earn huge using your Facebook page. Please let me know if you are interested. Shoot me a mail laksshmanan51@gmail.com"
If anyone wants to try and replicate this sort of thing, consider this: the mobile applications (touch.facebook.com, iOS/Android apps) that Facebook use very often take advantage of legacy api calls and code that the main web application has long since disposed of.
Agreed. Touch/m.facebook.com have had major holes exist for long after they have been plugged on the main site. It was iframeable long after the main site wasn't (and thus subject to clickjacking). Also, for a long time you could invite anyone to events by Facebook ID by posting the correct calls to the mobile site, essentially without limit, even after the issue was fixed on the main site. Since custom messages could be embedded in the invitations, it was a spam free-for-all.
Philippe Harewood (@phwd on Twitter) mantains a list of published Facebook bug bounty reports. It's a very good resource for anyone looking to learn about bug bounties and web app security in general: https://www.facebook.com/notes/phwd/facebook-bug-bounties/70...
If $12,500 seems like a lot of money, remember that Facebook theoretically loses $22,453 for every minute their website is down. In other words, they generate $12,500 every 33 seconds.
Paying out that sum of money to increase the number of people searching for security flaws is quite smart.
I understand your sentiment here, but that's a difficult comparison. Friends of mine make more money hunting bug bounties each year than their (competitive) full time salaries as consultants or developers.
These sorts of things are publicly verifiable - Michal Zalewski has commented on it before as a member of the Google appsec team, and if you look on Twitter for writeups from the same folks you come to the same conclusion. I have in mind one particular friend who literally bankrupted a bug bounty in three hours.
Another security researcher by the name of Nicholas Gregoire earned $35,000 combined from Yahoo and Facebook for a single vulnerability in each company - both server-side request forgery. He found it in Yahoo's YQL console, then decided to look elsewhere for it in a very deterministic fashion, and came across it in Parse (Facebook). He found many more bugs in a period of a few months, but he explicitly didn't look as seriously as some people do, which entails actively tracking acquisitions by companies like Google and Facebook.
It can be something of a meat grinder, but finding bug bounties is extremely profitable work. Then of course, having this work on a rèsumè is an immediate step up for getting interviews.
I completely understand the personal motivation behind solving this bounties but when you talk about people earning a lot of money you are talking about outliers. It is profitable work for very few elite security researchers. Most of computer security people will never find a bug in Google Chrome.
While this is absolutely true, I know some people that like to do this type of stuff for "fun" and the bounty is just icing on the cake. It also won't hurt him in finding that kind of work in the future.
Yeah, I feel it's more about earning respect than making a living.
"I made $10k just for a quick hack"[1] has enormous bragging value - it's both a large enough payout for that, and it can actually be used without going to jail. Much better than actually bringing Facebook down.
[1] It doesn't matter how much work went into finding the exploit, one can still brag about doing it left-handed in 5 minutes.
...especially if he can put that he's gotten that big a payout from Facebook's bug bounty program on his résumé.
This isn't (generally) about the absolute dollar amount. It's a prestige thing, it's a pride thing, and it's an accomplishment thing. For the preponderance of people that participate in bug bounties, the money is probably very much secondary.
Yet there's no way to tell FB about problems without having an account (that I could find in 5 minutes). I found potential phishing attempts in the Windows Store, suggested apps right from the start menu. MS refuses to do anything about phishing/scams on their store, and FB offers no way to contact them (I tried a few email addresses like legal@, to no response).
I'm just trying to let FB know of a potential phishing attempt that's targeting all Windows users. I don't care about the bounty, in fact I only care a: to teach MS a lesson and b: to annoy the "developers" scamming people. I don't care enough to sign up for FB. Every other company I've dealt with on this, except some of the large media companies, have been easy enough to contact about the problem.
To be clear, the issue is: Windows users using the Windows search feature, or directly using the Windows Store, are presented with fake FB apps claiming to be official. Contacting MS support gets useless replies, as they are trying to pump their app counts. Meanwhile, normal users end up installing a potentially malicious app, claiming to be the official FB app. FB needs to send a takedown.
things might have changed over the past 12 months, but if you report an app from the store app in windows 8, the report gets looked at and they were good about removing apps that had issues.
I say this since I went through this process myself about a year ago and the app I reported was taken down. full disclosure: I worked on the app store team, but didn't use any internal mechanism.
I've been going through this recently quite a bit. Reporting stuff is a waste of time, except for entertainment purposes.
I've reported all sorts of things. In nearly every single case, they say they cannot do anything. Even when there's a fake DropBox app "by" "@Microsoft". In that case, the CSR told me to try re-installing the app, that it worked for him. Zero understanding of the issue.
I've found a fake Windows Update on the Store. Reporting it got a generic response, until I emailed the MS security folks. Then it was removed in a few minutes. Meanwhile, they suggest I "Leave a review" or email the developer. Idiotic.
Netflix went back and forth with MS at least 3 times. Amazon had issues as well. Other ISVs tell me they can simply not get MS to be responsive about things.
Disney was the funniest response. Despite being a major Store publisher, there's all sorts of fake Disney stuff online. When I spoke to the Disney Store about it, the final suggestion was "don't go on it [the Windows Store]". Neato.
It's obvious MS is just padding the app numbers and no review is actually happening. It's a shame, since it undermines all the work; the Windows Store is a joke even with casual users. (Like even meeting random people on a plane and asking.) I emailed Satya. I emailed the GM of the Store. I emailed the Dev evangelist pushing the "let's pay people in third world countries 4 months salary for publishing 20 shitty wrap-a-webpage apps" program. No replies.
I really hope they enable an Android compat layer. Even if it's slow, A: tons of random utility apps will be available, B: MS can enforce some quality instead of quantity.
I find it hard to believe MS isn't aware of these issues, unless no one actually uses it (Win10 makes it more in-your-face, though). Someone must have a bonus that's tied to "published app count". Neither Apple nor Google have these issues. The Store is worse than the Android Marketplace was.
For the seriousness of this bug 12k doesn't seem like much to me. I don't know if I would turn it in for that little. With my personal dislike of facebook, the alternative is so very, very tempting..
Doubt you would do any real damage, I believe in the past it has been noted that deleting photos on Facebook won't remove the actual images from their servers. So it is likely possible that they could simply identify photos deleted in this way and restore them.
I'm guessing the alternative he's referring to is the black market.
However I'm not sure if the risk being caught is considered in this. If you can get let's say, X times more in the black market but also risk 10 or 20 or whatever years in jail as well, I'm not sure those 12.5k seem that bad.
Edit: Or maybe doing extortion on someone? but how much could you get by threatening to delete someone's photos? I'm guessing not much... no?
And when you inevitably do get caught red handed, don't worry, because you'll have a Greek Chorus of Internet commenters making t-shirts advocating your release and writing Boing Boing articles about how you got screwed. Unless your offense involves credit cards, the celebrity might be worth the (very minimal) sentence you'll end up with.
It probably also gives somebody discovering the flaw a disincentive for exploiting it just for fun and then bragging about it since there will be no payout in that case.
Holy heck, $12.5K? That's one heck of a nice bug bounty program Facebook has there. That is likely more than the black market would pay for this, or at least a lot less hassle (plus the black market might have little interest as this cannot be used for hijackings, just trolling/harrassment).
No, but imagine the ressources they would have had to throw at the problem if the user had instead decided to delete ALL the photo albums on the site. Or imagine if he would have used the exploit to delete all the photos of a movie launch, etc. The reward is appropriate.
I'm guessing not much? I was under the impression that nothing you delete on Facebook is ever truly deleted, just marked as disabled and hidden. And if they're logging their API calls it should be fairly straightforward to look up which albums were disabled using that one token and switch the flag back.
Not from this point of view, but from a marketing point of view, deleting photos is quite a power. Imagine being able to ruin a movie's launch while your own movie is all over youtube.
Half-life means what it usually does: time until 50% of the thing (vulnerable clients) have evaporated. You can plot out a decay curve. Vulnerabilities are valuable when many clients still exist which can be profitably exploited.
The half-life of this bug is ~0. As soon as Facebook becomes aware of it, it is nearly instantly fixed everywhere. This is very not the case if you get e.g. code execution on a version of Java which will take 50 months to completely disappear from the wild.
It's not very useful to compare bug bounty payouts to what the "black market" would pay for a vulnerability.
Let's look through the challenges of selling a vulnerability that allows for arbitrary account takeover (much more serious than this):
0. Find the vulnerability. Assume that no one will find it by the time you find a third party buyer.
1. Look for a buyer. If you're not well-connected, you might stumble into an FBI honeypot (a sting operation) because you don't know what you're doing. But let's assume you know what you're doing and you find a buyer.
2. You negotiate a price. You don't receive much more than Facebook would pay you (if they even give you that much) for a few reasons:
a. The vulnerability can only be used on Facebook, so it's not vendor agnostic (compare Heartbleed, Shellshock);
b. The vulnerability has an extremely small window of capitalization - it will be discovered within a week of use, maybe less. The Facebook incident response team is spectacular.
c. You need to figure out a sufficient monetization strategy for distributing malware or spam using profiles that are taken over using this vulnerability. You have a week of use, much less if you try to take over accounts too aggressively. Now you're going up against all of Facebook's other protections - once you have the account, spreading malware will either be algorithmically discovered by Facebook or reported by other users.
With an organized crime unit composed of professional hackers, this might pay off. Maybe. And that is for one of the most serious bugs you can find. You're better off just taking what Facebook (generously) gives you.
The classical fallacy people fall into is believing that a web application vulnerability is worth much, especially the variety most tech companies have to offer. It's certainly serious, yes, but it's only worth what a market will pay for it. It's worth a lot to Facebook for brand integrity. It's not worth a lot to hackers looking to make money.
The only web applications that might be worth real money would be banks or government institutions (or similar platforms). Real money is found in vulnerabilities on desktop clients, especially memory corruption vulnerabilities, or in ubiquitous software that affects servers. You want to be able to compromise a user for use in a botnet or distribute malware to steal their money or personal information. Alternatively, you want to be able to attack, say, 30% of the websites on the internet with a wide variety of options after you get in.
Examples include:
• Vulnerabilities in Flash.
• Vulnerabilities in Python, Ruby or corresponding web frameworks.
• Code execution in iOS that allows a jailbreak (most sources indicate the going price for this is $500,000). Other vulnerabilities as well, such as compromising app store receipts or in-app purchase checks.
• Vulnerabilities in Android, up to and including code execution.
• A game over flaw in any number of ubiquitous software packages used on Linux servers with root access.
• A sandbox escape in OS X or Windows (you'll be paid more for Windows but both are lucrative).
Looking over your list it seems that Shellshock (and possibly heartbleed) would have been extremely profitable on the black market. Any guess as to their selling price?
In a week, an attacker with an account-takeover exploit could attack every high-profile celebrity and likely dig up enough dirt on them to get far more than $50,000 in hush money. Or they could go the old-fashioned route and use it to snoop on the plans of wealthy people to kidnap them and hold them for ransom. There are many, many possibilities for making money if you can gain access to anyone's facebook account, even if it is just for a week. $50,000 is not an extraordinarily large compensation for ethically disclosing an exploit of this nature by any means.
Do you have firsthand or even secondhand knowledge of a market for account takeover bugs where the buyers are monetizing those bugs via celebrity dirt? Do you have knowledge of markets for account takeover where buyers are directly monetizing those bugs at all?
I'm not asking if you can hypothesize such a market. I'm asking if you know about one actually existing.
It's been suggested to me that there is in fact at least one set of buyers for account takeover bugs. But they aren't monetizing those accounts.
I don't, but I strongly suspect they exist. While it's not my MO, I am quite certain that a blackhat-hacker with an exploit that enables them to compromise anyone's personal account would have the idea to target wealthy/famous people for personal gain. I also don't think it's beyond reason to think they could generate more than $50,000 through malicious means. Doing it without getting caught would be the challenging part, I guess.
I browsed through the site thinking there were some other interesting security posts.
Turns out this is the only post on the site. Then I did a Whois and this site was created 2 days ago. It's registered to laksshmanan51@gmail.com which is apparently the same guy on the post. Then I did a search on Google for laksshmanan51@gmail.com and there are search results with "You can earn huge using your Facebook page. Please let me know if you are interested. Shoot me a mail laksshmanan51@gmail.com"
This just doesn't pass the smell test with me, seems to me this guy just pwned a lot of people to get ad clicks or something else.
Those are two completely different skill sets. one is knowledge of vulnerabilities and security, the other is about good web practices. There is no overlap in skill set here.
I suspect, of course have no proof that the bounty was this size because FB found a large number of other API calls similarly exploitable and locked them down in one go.
What do you do when you think a company would just fix the bug based on your report and not pay out anything? I have seen so many bugs in the wild like this. For example a site in the uk where I can get access to any account I wish.
Are there any data protection laws that would provide leverage? How would you make first contact with a company that doesn't advertise a bug bounty program?
Does this kind of email seem ok?
"Hi, I have seen a security vulnerability on your site. How do I report it? What do you pay?…
May you respond in the next 7 days or I will be forced to take this to xxx.org for the protection of your users"
No, that email doesn't seem okay at all. That's extortion. A company has every right to not offer a bug bounty, and to fully prosecute you for trying to find a vulnerability (you can quibble about what "trying to find a vulnerability" means, but they have the right, like it or not). You have no right to demand payment for a perceived vulnerability in a company's infrastructure, even if they have a bug bounty program.
The most serious vulnerabilities I ever found (read: the greatest potential for exploitation) came from reports to companies without bug bounties, so I know the position you're in. But looking for payment in return for vulnerabilities outside of the context of a bug bounty sets a precedent for the wrong motivation and is inherently adversarial to the company. Do not fish for vulnerabilities, then try to hold out your report for payment. Whether or not you believe it is unethical is a matter of personal opinion I suppose (I believe it's unethical), but it is at least illegal.
Now, let me clarify: there is nothing wrong with giving a company a deadline before you go public. But 7 days is far too small of a deadline. 90 days is better. And if you do this, you don't seek payment, you do it because you're a professional security researcher who cares about their security, not because you're trying to make a quick buck.
When you find a vulnerability like this, you proceed carefully. Contact a software developer, or better yet, a security team member (if they have one) who is technically savvy enough to understand your report. It would be best to do this anonymously. Email is strongly preferable, but you can escalate to Twitter if it means being put in contact with the right person. Obviously this means asking for help with security on Twitter, not disclosing the vulnerability publicly.
> "And if you do this, you don't seek payment, you do it because you're a professional security researcher who cares about their security, not because you're trying to make a quick buck."
What if you aren't a professional security researcher, though? I'm sure there are plenty of underpaid people out there who stumble onto bugs like this every so often. Yes, asking the company to give you money on threat of revealing the bug is definitely extortion, but you are assuming a little too much in this case I believe. Some people may truly need the money.
Needing money is not in our current economic system enough cause to get it. If we are accepting the premise than extorting people this way is illegal and unethical, it doesn't become more legal because you are poor or not a professional, and probably not more ethical either.
Exactly what I was looking for, thanks. 90 days seems to ring a bell with what google is doing at the moment with microsoft, apple etc. Maybe not so much for (in this case) simply adding the http flag to your plain text user session cookie. But this is what I was looking for, best practices.
>to fully prosecute you for trying to find a vulnerability
Wouldn't that strongly depend on how you found it? E.g if a friend sends you an invite to share files on dropboks.com (hypotetical dropbox like service) and you copy and paste only part of the link, you now have access to his files (think /mergers/dove-soap but you insert /mergers/ and get to see all his mergers). In this case you stumbled on a huge security issue but how did you do anything illegal?
Edit: I should probably expand on that. Telling a company that you know about a bug but won't tell them about it if they don't pay you and instead threaten to turn it over to other parties who may have more nefarious intentions is pretty much extortion and is likely illegal.
I understand that you'd want to make money out of it, but if the company offers no bug bounty, it's no good threatening them. If you do so, it'll likely trigger a hostile response.
But is it my responsibility to spend time reporting this to them? Should I leave the vulnerability for others to take advantage of, if they come across it? How do I know that others aren't already doing so?
With this specific vulnerability it could be used it to build an address book of emails, {home,work}addresses, telephone numbers etc; given the nature of the app.
Not like that. A few times I've gotten free software, twice I got some recognition, and one time I got $500. This was years ago before bug bounties were a thing. I simply emailed a technical person (once I called cause I had a prior business relationship) saying I had found a bug with security implications and I want to let them know privately, who's the best person. Always someone has been grateful at least. After you've explained everything to the right person and they get back to you, then you can ask. The $500 I did not even ask, I was assuming it would be like with the large company that simply mentioned my employer in the notice, it was from another large company, that floored me.
edit: And you're probably not going to get anything for what you found, but you'll get a thanks if you go around it right, and you'll get arrested or ignored if you don't. You might get some recognition too, and that's worth a lot when you are young.
It seems like Facebook's Bug Bounty Program payment processor bugbountypayments.com is down http://isup.me/bugbountypayments.com . Anyone have any experience with that site? I haven't heard of it coming up before in security program discussions on HN or elsewhere.
It's really surprisingly to me that a user could take their access token and request a deletion of a resource that they do not have authorization to delete...and it deletes it. I wonder if they have anymore authorization issues like this.
I'm struggling to not sound rude, but that's the whole point of the submission. He was surprised, you're surprised, I'm surprised, everyone here is surprised. Facebook was so surprised that they gave him money.
I've never been more motivated to sign up for FB like I am now so I checked out the eligibility rules for the bug bounty and I found one interesting rule:
> Not reside in a country under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)
Keyword there is any. Some Russian officials are under U.S. sanctions, does that mean Russian citizens are not eligible for the bounty?
I ask cause according to Wikipedia[0], I reside in a country under U.S. sanctions but the sanctions apply to certain people instead of the entire country.
Is anyone else kind of shocked that this particular vulnerability exists given that Facebook employs "the best and brightest" in the industry?
This isn't one of those vulnerabilities that relies on numerous seemingly unrelated steps and makes you wonder how the person ever thought it up.
Instead, this is security 101 stuff. Facebook simply wasn't making sure userFor(appKey) == owner(albumId). I would've assumed obvious holes like this don't even exist in the API. So, props to the author trying it out. Wish I had.
That is not how a scalable architecture looks like. You don't want to handle authorization in the same service that's responsible for deleting the resource. Yes, there should have been tests in place, but no it's not a missing if condition.
Couldn't you have a service which checked you were allowed to delete something, then handed a deletion order back (essentially a signed xml blob) which would then get passed on to the actual deletion service (and here validated)? That way no issue with scalable architecture and no issue with hacks like this.
I really don't understand the down-voting here. It wouldn't take an experienced security researcher to discover this bug and I think many missed it because they assumed such a vulnerability wouldn't exist.
If anyone wants to try and replicate this sort of thing, consider this: the mobile applications (touch.facebook.com, iOS/Android apps) that Facebook use very often take advantage of legacy api calls and code that the main web application has long since disposed of.
A well known researcher, Stephen Sclafani ('ssclafani) receiced a bounty of $25,000 for arbitrary account takeover using the legacy api.
Legacy code is generally the first place to look for vulnerabilities. Legacy apis which are still allowed to exist for backwards compatibility are prime areas to search for bug bounties.
Good luck.