Hacker News new | past | comments | ask | show | jobs | submit login
Deleting any Facebook album (7xter.com)
506 points by compbio on Feb 12, 2015 | hide | past | favorite | 97 comments

Good work. I see a lot of people are surprised at the amount received for this report. Yes, that is typical of both Facebook and Google (and to a lesser extent, Yahoo will pay large sums for particularly bad bugs). They are extremely generous - Facebook recently paid $5000 for a bug report that existed in their careers portal despite that infrastructure being entirely third party.

If anyone wants to try and replicate this sort of thing, consider this: the mobile applications (touch.facebook.com, iOS/Android apps) that Facebook use very often take advantage of legacy api calls and code that the main web application has long since disposed of.

A well known researcher, Stephen Sclafani ('ssclafani) receiced a bounty of $25,000 for arbitrary account takeover using the legacy api.

Legacy code is generally the first place to look for vulnerabilities. Legacy apis which are still allowed to exist for backwards compatibility are prime areas to search for bug bounties.

Good luck.

Another good place is at edges of systems, particularly where they rub each other in fraught ways. What's the rule that says that computer systems invariably take on the architecture of the organizations that make them? You can predict Terrible Code Exists Here by getting a list of team names from the target (trivial -- use LinkedIn or ask anyone who works there) and then figuring out where those teams have shipped half-assed worked-on-my-machine glue code to tie their systems together.

A common example: any handoff between a marketing site (or email) and a SaaS app more complicated than "Clicking this unchanging link takes you to a login form" almost certainly involves two teams and was somebody's perceived least important thing to do that day.

The "rule" that you're thinking of is Conway's Law: http://en.wikipedia.org/wiki/Conway%27s_law

I think this post is a hoax. A lot of things don't add up. I thought there would be more interesting security posts and this is the only post on the entire site. The site was registered just 2 days ago, see http://www.whois.com/whois/7xter.com . Then if you search on Google for the email that registered the site (laksshmanan51@gmail.com) you get this http://apnahindisms.blogspot.mx/2014/09/bewafa-shayari-in-hi.... that has "You can earn huge using your Facebook page. Please let me know if you are interested. Shoot me a mail laksshmanan51@gmail.com"

If anyone wants to try and replicate this sort of thing, consider this: the mobile applications (touch.facebook.com, iOS/Android apps) that Facebook use very often take advantage of legacy api calls and code that the main web application has long since disposed of.

Agreed. Touch/m.facebook.com have had major holes exist for long after they have been plugged on the main site. It was iframeable long after the main site wasn't (and thus subject to clickjacking). Also, for a long time you could invite anyone to events by Facebook ID by posting the correct calls to the mobile site, essentially without limit, even after the issue was fixed on the main site. Since custom messages could be embedded in the invitations, it was a spam free-for-all.

Philippe Harewood (@phwd on Twitter) mantains a list of published Facebook bug bounty reports. It's a very good resource for anyone looking to learn about bug bounties and web app security in general: https://www.facebook.com/notes/phwd/facebook-bug-bounties/70...

If $12,500 seems like a lot of money, remember that Facebook theoretically loses $22,453 for every minute their website is down. In other words, they generate $12,500 every 33 seconds.

Paying out that sum of money to increase the number of people searching for security flaws is quite smart.

$ 12,500 is not a lot of money for this kind of work, if he is hired to find the same bugs he will earn much more.

I understand your sentiment here, but that's a difficult comparison. Friends of mine make more money hunting bug bounties each year than their (competitive) full time salaries as consultants or developers.

These sorts of things are publicly verifiable - Michal Zalewski has commented on it before as a member of the Google appsec team, and if you look on Twitter for writeups from the same folks you come to the same conclusion. I have in mind one particular friend who literally bankrupted a bug bounty in three hours.

Another security researcher by the name of Nicholas Gregoire earned $35,000 combined from Yahoo and Facebook for a single vulnerability in each company - both server-side request forgery. He found it in Yahoo's YQL console, then decided to look elsewhere for it in a very deterministic fashion, and came across it in Parse (Facebook). He found many more bugs in a period of a few months, but he explicitly didn't look as seriously as some people do, which entails actively tracking acquisitions by companies like Google and Facebook.

It can be something of a meat grinder, but finding bug bounties is extremely profitable work. Then of course, having this work on a rèsumè is an immediate step up for getting interviews.

I completely understand the personal motivation behind solving this bounties but when you talk about people earning a lot of money you are talking about outliers. It is profitable work for very few elite security researchers. Most of computer security people will never find a bug in Google Chrome.

While this is absolutely true, I know some people that like to do this type of stuff for "fun" and the bounty is just icing on the cake. It also won't hurt him in finding that kind of work in the future.

Yeah, I feel it's more about earning respect than making a living.

"I made $10k just for a quick hack"[1] has enormous bragging value - it's both a large enough payout for that, and it can actually be used without going to jail. Much better than actually bringing Facebook down.

[1] It doesn't matter how much work went into finding the exploit, one can still brag about doing it left-handed in 5 minutes.

...especially if he can put that he's gotten that big a payout from Facebook's bug bounty program on his résumé.

This isn't (generally) about the absolute dollar amount. It's a prestige thing, it's a pride thing, and it's an accomplishment thing. For the preponderance of people that participate in bug bounties, the money is probably very much secondary.

Yet there's no way to tell FB about problems without having an account (that I could find in 5 minutes). I found potential phishing attempts in the Windows Store, suggested apps right from the start menu. MS refuses to do anything about phishing/scams on their store, and FB offers no way to contact them (I tried a few email addresses like legal@, to no response).

You can (and preferably should) use a Whitehat Test Account to perform your research/make your report: https://www.facebook.com/whitehat/accounts/

apps.facebook.com (Facebook Windows Store) is not in the scope of this bug bounty program though.

I'm just trying to let FB know of a potential phishing attempt that's targeting all Windows users. I don't care about the bounty, in fact I only care a: to teach MS a lesson and b: to annoy the "developers" scamming people. I don't care enough to sign up for FB. Every other company I've dealt with on this, except some of the large media companies, have been easy enough to contact about the problem.

To be clear, the issue is: Windows users using the Windows search feature, or directly using the Windows Store, are presented with fake FB apps claiming to be official. Contacting MS support gets useless replies, as they are trying to pump their app counts. Meanwhile, normal users end up installing a potentially malicious app, claiming to be the official FB app. FB needs to send a takedown.

things might have changed over the past 12 months, but if you report an app from the store app in windows 8, the report gets looked at and they were good about removing apps that had issues.

I say this since I went through this process myself about a year ago and the app I reported was taken down. full disclosure: I worked on the app store team, but didn't use any internal mechanism.

I've been going through this recently quite a bit. Reporting stuff is a waste of time, except for entertainment purposes.

I've reported all sorts of things. In nearly every single case, they say they cannot do anything. Even when there's a fake DropBox app "by" "@Microsoft". In that case, the CSR told me to try re-installing the app, that it worked for him. Zero understanding of the issue.

I've found a fake Windows Update on the Store. Reporting it got a generic response, until I emailed the MS security folks. Then it was removed in a few minutes. Meanwhile, they suggest I "Leave a review" or email the developer. Idiotic.

Netflix went back and forth with MS at least 3 times. Amazon had issues as well. Other ISVs tell me they can simply not get MS to be responsive about things.

Disney was the funniest response. Despite being a major Store publisher, there's all sorts of fake Disney stuff online. When I spoke to the Disney Store about it, the final suggestion was "don't go on it [the Windows Store]". Neato.

It's obvious MS is just padding the app numbers and no review is actually happening. It's a shame, since it undermines all the work; the Windows Store is a joke even with casual users. (Like even meeting random people on a plane and asking.) I emailed Satya. I emailed the GM of the Store. I emailed the Dev evangelist pushing the "let's pay people in third world countries 4 months salary for publishing 20 shitty wrap-a-webpage apps" program. No replies.

Here's a gallery of some gems: http://imgur.com/a/xvqZg#0

But nothing beats this awesomeness: http://imgur.com/fLOWMI4

I really hope they enable an Android compat layer. Even if it's slow, A: tons of random utility apps will be available, B: MS can enforce some quality instead of quantity.

I find it hard to believe MS isn't aware of these issues, unless no one actually uses it (Win10 makes it more in-your-face, though). Someone must have a bonus that's tied to "published app count". Neither Apple nor Google have these issues. The Store is worse than the Android Marketplace was.

Yeah there's no way that's enough money to submit to creating a FB account. [only half-joking... EDIT: three-quarters?]

For the seriousness of this bug 12k doesn't seem like much to me. I don't know if I would turn it in for that little. With my personal dislike of facebook, the alternative is so very, very tempting..

That alternative being...

Ruining his aunt's birthday memories?

It would ultimately be the hapless users who suffer in some way.

Doubt you would do any real damage, I believe in the past it has been noted that deleting photos on Facebook won't remove the actual images from their servers. So it is likely possible that they could simply identify photos deleted in this way and restore them.

I'm guessing the alternative he's referring to is the black market.

However I'm not sure if the risk being caught is considered in this. If you can get let's say, X times more in the black market but also risk 10 or 20 or whatever years in jail as well, I'm not sure those 12.5k seem that bad.

Edit: Or maybe doing extortion on someone? but how much could you get by threatening to delete someone's photos? I'm guessing not much... no?

Short FB, delete everyone's photos, buy FB.

And then go to jail. Great plan there...

Only if you are caught _and_ they can prove you did it, which isn't likely to be easy if you launch the attack from a botnet.

And when you inevitably do get caught red handed, don't worry, because you'll have a Greek Chorus of Internet commenters making t-shirts advocating your release and writing Boing Boing articles about how you got screwed. Unless your offense involves credit cards, the celebrity might be worth the (very minimal) sentence you'll end up with.

It probably also gives somebody discovering the flaw a disincentive for exploiting it just for fun and then bragging about it since there will be no payout in that case.

> Facebook theoretically loses $22,453 for every minute their website is down.

Any reference for this?

It was mentioned on a Techcrunch article[1]. Annual earnings/Time.

[1] http://techcrunch.com/2014/09/03/why-is-facebook-down/

Holy heck, $12.5K? That's one heck of a nice bug bounty program Facebook has there. That is likely more than the black market would pay for this, or at least a lot less hassle (plus the black market might have little interest as this cannot be used for hijackings, just trolling/harrassment).

I doubt the "black market" would pay much of anything for this bug, because, like most severe web vulnerabilities, it has no half-life.

No, but imagine the ressources they would have had to throw at the problem if the user had instead decided to delete ALL the photo albums on the site. Or imagine if he would have used the exploit to delete all the photos of a movie launch, etc. The reward is appropriate.

I understand the reward, but Facebook was buying the incentive for people to look for bugs like this; they weren't competing with the black market.

I'm guessing not much? I was under the impression that nothing you delete on Facebook is ever truly deleted, just marked as disabled and hidden. And if they're logging their API calls it should be fairly straightforward to look up which albums were disabled using that one token and switch the flag back.

Not from this point of view, but from a marketing point of view, deleting photos is quite a power. Imagine being able to ruin a movie's launch while your own movie is all over youtube.

What do you mean by "half-life" in this context ?

Half-life means what it usually does: time until 50% of the thing (vulnerable clients) have evaporated. You can plot out a decay curve. Vulnerabilities are valuable when many clients still exist which can be profitably exploited.

The half-life of this bug is ~0. As soon as Facebook becomes aware of it, it is nearly instantly fixed everywhere. This is very not the case if you get e.g. code execution on a version of Java which will take 50 months to completely disappear from the wild.

When 1 engineer costs ~$250k+ fully loaded, it isn't that much!

Plus they become good future recruiting targets.

It's not very useful to compare bug bounty payouts to what the "black market" would pay for a vulnerability.

Let's look through the challenges of selling a vulnerability that allows for arbitrary account takeover (much more serious than this):

0. Find the vulnerability. Assume that no one will find it by the time you find a third party buyer.

1. Look for a buyer. If you're not well-connected, you might stumble into an FBI honeypot (a sting operation) because you don't know what you're doing. But let's assume you know what you're doing and you find a buyer.

2. You negotiate a price. You don't receive much more than Facebook would pay you (if they even give you that much) for a few reasons:

a. The vulnerability can only be used on Facebook, so it's not vendor agnostic (compare Heartbleed, Shellshock);

b. The vulnerability has an extremely small window of capitalization - it will be discovered within a week of use, maybe less. The Facebook incident response team is spectacular.

c. You need to figure out a sufficient monetization strategy for distributing malware or spam using profiles that are taken over using this vulnerability. You have a week of use, much less if you try to take over accounts too aggressively. Now you're going up against all of Facebook's other protections - once you have the account, spreading malware will either be algorithmically discovered by Facebook or reported by other users.

With an organized crime unit composed of professional hackers, this might pay off. Maybe. And that is for one of the most serious bugs you can find. You're better off just taking what Facebook (generously) gives you.

The classical fallacy people fall into is believing that a web application vulnerability is worth much, especially the variety most tech companies have to offer. It's certainly serious, yes, but it's only worth what a market will pay for it. It's worth a lot to Facebook for brand integrity. It's not worth a lot to hackers looking to make money.

The only web applications that might be worth real money would be banks or government institutions (or similar platforms). Real money is found in vulnerabilities on desktop clients, especially memory corruption vulnerabilities, or in ubiquitous software that affects servers. You want to be able to compromise a user for use in a botnet or distribute malware to steal their money or personal information. Alternatively, you want to be able to attack, say, 30% of the websites on the internet with a wide variety of options after you get in.

Examples include:

• Vulnerabilities in Flash.

• Vulnerabilities in Python, Ruby or corresponding web frameworks.

• Code execution in iOS that allows a jailbreak (most sources indicate the going price for this is $500,000). Other vulnerabilities as well, such as compromising app store receipts or in-app purchase checks.

• Vulnerabilities in Android, up to and including code execution.

• A game over flaw in any number of ubiquitous software packages used on Linux servers with root access.

• A sandbox escape in OS X or Windows (you'll be paid more for Windows but both are lucrative).

The US government actually buys vulnerabilities. It's not really illegal so you don't need to worry about an FBI sting.

Looking over your list it seems that Shellshock (and possibly heartbleed) would have been extremely profitable on the black market. Any guess as to their selling price?

In a week, an attacker with an account-takeover exploit could attack every high-profile celebrity and likely dig up enough dirt on them to get far more than $50,000 in hush money. Or they could go the old-fashioned route and use it to snoop on the plans of wealthy people to kidnap them and hold them for ransom. There are many, many possibilities for making money if you can gain access to anyone's facebook account, even if it is just for a week. $50,000 is not an extraordinarily large compensation for ethically disclosing an exploit of this nature by any means.

Do you have firsthand or even secondhand knowledge of a market for account takeover bugs where the buyers are monetizing those bugs via celebrity dirt? Do you have knowledge of markets for account takeover where buyers are directly monetizing those bugs at all?

I'm not asking if you can hypothesize such a market. I'm asking if you know about one actually existing.

It's been suggested to me that there is in fact at least one set of buyers for account takeover bugs. But they aren't monetizing those accounts.

If they aren't monetizing them, can you be more specific about what these hypothetical exploit buyers are doing with the pwned accounts?

I don't, but I strongly suspect they exist. While it's not my MO, I am quite certain that a blackhat-hacker with an exploit that enables them to compromise anyone's personal account would have the idea to target wealthy/famous people for personal gain. I also don't think it's beyond reason to think they could generate more than $50,000 through malicious means. Doing it without getting caught would be the challenging part, I guess.

It's a great incentive to not sell it on the black market.

Or when you do find something really exploitable you already have a financial incentive to be good.

Didn't anyone else find this post suspicious ?

I browsed through the site thinking there were some other interesting security posts.

Turns out this is the only post on the site. Then I did a Whois and this site was created 2 days ago. It's registered to laksshmanan51@gmail.com which is apparently the same guy on the post. Then I did a search on Google for laksshmanan51@gmail.com and there are search results with "You can earn huge using your Facebook page. Please let me know if you are interested. Shoot me a mail laksshmanan51@gmail.com"

This just doesn't pass the smell test with me, seems to me this guy just pwned a lot of people to get ad clicks or something else.

Nope i see his name listed here for the last two years. https://www.facebook.com/whitehat/thanks

Also, the guy who found this vulnerability doesn't know not to use jpegs for text?? That doesn't pass the smell test either.

Those are two completely different skill sets. one is knowledge of vulnerabilities and security, the other is about good web practices. There is no overlap in skill set here.

I suspect, of course have no proof that the bounty was this size because FB found a large number of other API calls similarly exploitable and locked them down in one go.

So here seems like as good a thread as any.

What do you do when you think a company would just fix the bug based on your report and not pay out anything? I have seen so many bugs in the wild like this. For example a site in the uk where I can get access to any account I wish.

Are there any data protection laws that would provide leverage? How would you make first contact with a company that doesn't advertise a bug bounty program?

Does this kind of email seem ok?

    "Hi, I have seen a security vulnerability on your site. How do I report it? What do you pay?…

    May you respond in the next 7 days or I will be forced to take this to xxx.org for the protection of your users"

No, that email doesn't seem okay at all. That's extortion. A company has every right to not offer a bug bounty, and to fully prosecute you for trying to find a vulnerability (you can quibble about what "trying to find a vulnerability" means, but they have the right, like it or not). You have no right to demand payment for a perceived vulnerability in a company's infrastructure, even if they have a bug bounty program.

The most serious vulnerabilities I ever found (read: the greatest potential for exploitation) came from reports to companies without bug bounties, so I know the position you're in. But looking for payment in return for vulnerabilities outside of the context of a bug bounty sets a precedent for the wrong motivation and is inherently adversarial to the company. Do not fish for vulnerabilities, then try to hold out your report for payment. Whether or not you believe it is unethical is a matter of personal opinion I suppose (I believe it's unethical), but it is at least illegal.

Now, let me clarify: there is nothing wrong with giving a company a deadline before you go public. But 7 days is far too small of a deadline. 90 days is better. And if you do this, you don't seek payment, you do it because you're a professional security researcher who cares about their security, not because you're trying to make a quick buck.

When you find a vulnerability like this, you proceed carefully. Contact a software developer, or better yet, a security team member (if they have one) who is technically savvy enough to understand your report. It would be best to do this anonymously. Email is strongly preferable, but you can escalate to Twitter if it means being put in contact with the right person. Obviously this means asking for help with security on Twitter, not disclosing the vulnerability publicly.

> "And if you do this, you don't seek payment, you do it because you're a professional security researcher who cares about their security, not because you're trying to make a quick buck."

What if you aren't a professional security researcher, though? I'm sure there are plenty of underpaid people out there who stumble onto bugs like this every so often. Yes, asking the company to give you money on threat of revealing the bug is definitely extortion, but you are assuming a little too much in this case I believe. Some people may truly need the money.

Needing money is not in our current economic system enough cause to get it. If we are accepting the premise than extorting people this way is illegal and unethical, it doesn't become more legal because you are poor or not a professional, and probably not more ethical either.

Exactly what I was looking for, thanks. 90 days seems to ring a bell with what google is doing at the moment with microsoft, apple etc. Maybe not so much for (in this case) simply adding the http flag to your plain text user session cookie. But this is what I was looking for, best practices.

Again, thanks for the advice.

>to fully prosecute you for trying to find a vulnerability

Wouldn't that strongly depend on how you found it? E.g if a friend sends you an invite to share files on dropboks.com (hypotetical dropbox like service) and you copy and paste only part of the link, you now have access to his files (think /mergers/dove-soap but you insert /mergers/ and get to see all his mergers). In this case you stumbled on a huge security issue but how did you do anything illegal?

That sounds akin to extortion...

Edit: I should probably expand on that. Telling a company that you know about a bug but won't tell them about it if they don't pay you and instead threaten to turn it over to other parties who may have more nefarious intentions is pretty much extortion and is likely illegal.

I understand that you'd want to make money out of it, but if the company offers no bug bounty, it's no good threatening them. If you do so, it'll likely trigger a hostile response.

Reply to your edit:


Maybe the xxx.org came across wrong. My intention was a government organisation, nothing nefarious.

Exactly. That's how I thought it sounded.

But is it my responsibility to spend time reporting this to them? Should I leave the vulnerability for others to take advantage of, if they come across it? How do I know that others aren't already doing so?

With this specific vulnerability it could be used it to build an address book of emails, {home,work}addresses, telephone numbers etc; given the nature of the app.

Not like that. A few times I've gotten free software, twice I got some recognition, and one time I got $500. This was years ago before bug bounties were a thing. I simply emailed a technical person (once I called cause I had a prior business relationship) saying I had found a bug with security implications and I want to let them know privately, who's the best person. Always someone has been grateful at least. After you've explained everything to the right person and they get back to you, then you can ask. The $500 I did not even ask, I was assuming it would be like with the large company that simply mentioned my employer in the notice, it was from another large company, that floored me.

edit: And you're probably not going to get anything for what you found, but you'll get a thanks if you go around it right, and you'll get arrested or ignored if you don't. You might get some recognition too, and that's worth a lot when you are young.

It seems like Facebook's Bug Bounty Program payment processor bugbountypayments.com is down http://isup.me/bugbountypayments.com . Anyone have any experience with that site? I haven't heard of it coming up before in security program discussions on HN or elsewhere.

That actually works for me even though isup.me thinks it's down :/

works over https https://www.bugbountypayments.com

Wonder if it's intentional, i.e.: If you are truly L337 then you'd work it out eventually, or it's some sort of HSTS type-thing.

It's really surprisingly to me that a user could take their access token and request a deletion of a resource that they do not have authorization to delete...and it deletes it. I wonder if they have anymore authorization issues like this.

I'm struggling to not sound rude, but that's the whole point of the submission. He was surprised, you're surprised, I'm surprised, everyone here is surprised. Facebook was so surprised that they gave him money.

That seems a princely sum of money, but then again, this was a pretty serious flaw. Kudos!

It's impressive how many security bugs were reported on facebook:


About 725 independent researchers contributed.

I've never been more motivated to sign up for FB like I am now so I checked out the eligibility rules for the bug bounty and I found one interesting rule:

> Not reside in a country under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)

Keyword there is any. Some Russian officials are under U.S. sanctions, does that mean Russian citizens are not eligible for the bounty?

I ask cause according to Wikipedia[0], I reside in a country under U.S. sanctions but the sanctions apply to certain people instead of the entire country.

[0] http://en.wikipedia.org/wiki/United_States_embargoes

Is anyone else kind of shocked that this particular vulnerability exists given that Facebook employs "the best and brightest" in the industry?

This isn't one of those vulnerabilities that relies on numerous seemingly unrelated steps and makes you wonder how the person ever thought it up.

Instead, this is security 101 stuff. Facebook simply wasn't making sure userFor(appKey) == owner(albumId). I would've assumed obvious holes like this don't even exist in the API. So, props to the author trying it out. Wish I had.

Mistakes happen. When you're pen-tested for the first time (by a decent pen-tester) you go through the 5 Stages of Grief with the stuff they find.

Something tells me you're new to this industry

That is not how a scalable architecture looks like. You don't want to handle authorization in the same service that's responsible for deleting the resource. Yes, there should have been tests in place, but no it's not a missing if condition.

Couldn't you have a service which checked you were allowed to delete something, then handed a deletion order back (essentially a signed xml blob) which would then get passed on to the actual deletion service (and here validated)? That way no issue with scalable architecture and no issue with hacks like this.

Can you elaborate?

I'm not 100% sure on this, could you only delete albums for users who had given access to your app, or was it any user at all?

the app was "Facebook for Android" so there would have been a large surface area regardless.

In the post the album id for the attackers album and the victims album are the same, 518171421550249.

I'm not surprised the delete worked...

Great job. I am supremely jealous. I REALLY could use $12,500 right about now.

I really need to bring my curious nature back into the forefront.

Very nice one buddy, but sorry to say , i think for this bug , the reward is a little too high :P no offense though

sorry if this is trivial, but how easy is it to get the Mobile API access token? I thought api access tokens should be safeguarded like credentials

You didn't need the target's access token. Your own worked just fine.

Exactly, that in itself is the whole point of this being a security bug.

Woah, didn't catch that when I first skimmed through the article. $12,500 wasn't enough then.

$12,500 man Facebook got that cheap. That's a $100M or more bug - there's no real way to put a price on it.

Amazing ! :)

thats a easy 12500$ for a hack...but still you cracked it which many would ignored it..

That was brilliant :)

Nice! Easy $12500. I'm kicking myself but then again, who woulda thunk?

Might not have been easy depending on how many other things he had to test before he found this error.

I really don't understand the down-voting here. It wouldn't take an experienced security researcher to discover this bug and I think many missed it because they assumed such a vulnerability wouldn't exist.

I think this post is a hoax. A lot of things don't add up.

I thought there would be more interesting security posts and this is the only post on the entire site.

The site was registered just 2 days ago, see http://www.whois.com/whois/7xter.com . Then if you search on Google for the email that registered the site (laksshmanan51@gmail.com) you get this http://apnahindisms.blogspot.mx/2014/09/bewafa-shayari-in-hi... that has "You can earn huge using your Facebook page. Please let me know if you are interested. Shoot me a mail laksshmanan51@gmail.com"

Shhh, don't interrupt the circle jerk. ;)

You guys are missing a key factor. FB paid him $12.5k but didn't lose anything.

Find line of code containing bug and:

    git blame -L2469,2469 -- app/core/shitty_auth.php | \
        egrep -oh '[A-Z][a-z]+ [A-Z][a-z]+' | \
        xargs -I {} python dock_monthly_pay.py \
            --employee-name="{}" --amount=1041.67

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact