Facebook To Pay Hackers For Bugs

alphadogg writes "Facebook is going to pay hackers to find problems with its website — just so long as they report them to Facebook's security team first. The company is following Google and Mozilla in launching a Web 'Bug Bounty' program. For security related bugs — cross site scripting flaws, for example — the company will pay a base rate of $500. If they're truly significant flaws Facebook will pay more, though company executives won't say how much. 'In the past we've focused on name recognition by putting their name up on our page, sending schwag out and using this an avenue for interviews and the recruiting process,' said Alex Rice, Facebook's product security lead. 'We're extending that now to start paying out monetary rewards.'"

First Post

Good step in the right direction.

*golf clap*

The others...

...like Microsoft/Adobe/Apple should take notice.

not a very smart thing

[Lead+Butthead]

no assurance the said hacker won't sell the information extracted during this "lawful" exercise "authorized" by F-book.

Re:not a very smart thing

[lgarner]

No assurance they aren't doing that already.

found one!

[girlintraining]

I found one! It's called the Zuckerbug. It appears the Zuckerbug is a kind of malware posing as a security solution, when in reality it steals your personal information which is then sold off.

Re:found one!

[bky1701]

Wow, complaining about modding? 'Slashbots'? Did you come up with that one yourself?

Oh wait. Of course not. I've only heard it a few hundred times before. Next time you accuse someone of 'repeating groupthink,' maybe you should at least attempt to hide your own lack of original thought.

Re:found one!

You have misunderstood. When someone speaks against groupthink they are always individual thinkers. It is not possible that a web forum would include more than one group of like-minded people.

Feel free to disagree but understand that that makes you a slashbot, as I am an individual.

Re:found one!

[mister_playboy]

Leave Mario and Luigi out of this! :)

iPhone app?

[kappa962]

The website is infinitely more robust than their iPhone app. Their crappy app is the reason most of my friends don't use Facebook anywhere near as much as they used to.

If only ebay would do the same..

[viking80]

..then we all would be rich. I have not seen any major destination with so many glaring front page defects. Ebay even came to my house, (3 use case specialists strong, and left me an ebay cap!), but no bug fixes as a result.

XSS

[TubeSteak]

Facebook's security team already engages in a lot of dialogue between security researchers and its own programmers. The company is contacted between 30 and 50 times each week by hackers. Their information leads to an average of about one to three "actionable bugs," per week, Rice said. Most of these are cross-site scripting or cross-site request forgery issues. These are both very common Web programming errors that could be abused by scammers and cybercrooks to rip off Facebook users.

Sounds to me like Facebook would be better served reviewing their coding and auditing practices.
I mean.. one to three a week, do they not sanitize their inputs?

Re:XSS

Well, it WAS put together by PHP coders...

Re:XSS

[growse]

Why would they sanitise their inputs, gIven that XSS is caused by output content encoding bugs?

Payoff

[tpstigers]

Find a flaw and send us an email describing it. We'll pay you $500, then we'll make $600 selling your email address.

Re:Payoff

[hansraj]

Your email address is not worth even a full dollar, let alone 600.

Yay!

[pitchpipe]

I'm going to get money for pointing out their interface to them.

Will they

[radioFlash]

pay developers to fix them?

This is delusional.

[liquidweaver]

And I do mean delusional, as in out of touch with reality. Facebook must think the people that create these exploits are either really stupid, they don't understand their audience, or this is a token gesture. $500 is ridiculous.

Re:This is delusional.

[gravyface]

And as if that's enough money to shut them up too. They'll be zero-day'ed before the check clears.

Re:This is delusional.

No, you're the one that's delusional. Believe it or not, people reported these even before today responsibly. Why? Because it's the right thing to do. The monetary incentive is there to encourage people to spend a bit more time looking.

Cheapskates

[BeanThere]

If a decent security programmer/expert earns say $50/hr, then this covers only 10 hours of work, and that ignores actual cost-to-company equivalent costs of hiring an expert (e.g. desk, HR, equipment, admin, accounting overheads, so it's actually closer to 5 or 6 hours worth of programmer time). Do you mean to tell me that if they hired an expert internally, they expert the cost of that expert equivalent finding a bug every 5 hours? This is highly patronizing, they are basically treating the security experts out there as children who are supposed to get excited wasting their time doing virtually-free work for the great Facebook just for the so-called "prestige". In fact, most will spend many hours and are likely to earn nothing. Facebook, hire some programmers out of your own damn pocket. Security experts, retain some dignity.

If you can't beat 'em...

[LongearedBat]

...then make 'em join you. It's testing using cheap crowdsourcing. Very sensible, as those cracks would likely be used against them anyway..

first fix the stupid logic with SMS auth!

[galaad2]

i got locked out of my (rarely-used) fb account because i have login approval required via phone but no phone number defined on profile!!!!!!

This happened because i deleted my phone number from my public profile but i didnt mean to also delete it from the login security section. However, when i changed my public profile, their stupid site also deleted the phone number from the security login approval section too, while keeping active the mandatory login approval via sms.

That results in a catch-22 scenario, i cannot login until i get a sms with an auth code, but i cannot get the code since there's no phone number listed to send the sms to.

Since there's no phone number left to send sms to, and i don't currently have a device that's already authorized (i run ccleaner weekly to clear cookies and other crap) that effectively means their system gives me no other way to recover my account and they get to sit on and steal my private data without letting me have any say in it.

At least with Google's 2-factor auth sms security i have some printed recovery codes i can use, but they didn't give me anything :(

And they dont want to turn off the mandatory sms auth (or convert it to email-based auth) for accounts that no longer have a phone number listed. It's impossible to send a sms to a non-existing number.

As to my government-issued id, i'm NOT going to send that, because OF COURSE i didn't use the name that the government uses for me but i used the name most of my friends know me by. (and neither the DoB i used for sign up is the real one...)

i'd rather abandon my fb account (and maybe create another one, i can create all the email addresses that i want since i manage my own internet domains) than send my id (bearing my government-issued id number, similar in function to the SSNs) to who knows where in india/russia/other place. How would you feel if some stranger asked you to send your social security number and all other id info just because their own team is stupid and can't properly manage a login sequence?

Re:first fix the stupid logic with SMS auth!

Alright, so you filled out your profile with false information in violation of the ToS, couldn't go 3 clicks to find privacy settings to hide your phone number from others, and apparently don't have a computer with Facebook cookies from previous logins. Hard to say the blame is all Facebook's

Re:first fix the stupid logic with SMS auth!

[galaad2]

here in our country, the DoB forms a MAJOR part of the government id number/SSN (which is formed by appending a few numbers to the DoB numbers), so OF COURSE i wasn't going to let FB have my SSN, even if only part of it. The DoB that i used is close enough to the real one so as to remember my friends when my bday is, but it's not exactly spot on.

and as to the privacy settings for the phone number, FYI they were ALREADY set to "me only", but that doesn't mean crap to normal FB admins. The access rights to the login security usually require different administrative rights on FB than those rights needed by regular FB maintenance admins that can look at your private data (yes, even if you set it to "me only") but not at the login security auth data.

Here's a few big ones for free

[dbIII]

Here's some big ones:
Domain name time to live is only 30 fucking seconds! That means anything on the net looking for facebook rechecks twice a minute to see if it really is where it says it is. That's a lot of extra traffic but more importantly latency - a waste of everyone's time as their browser checks if facebook is still there and waits patiently back for the the news that facebook hasn't moved anywhere in the last 30 seconds. Because such stupid settings waste time and traffic RFC1035 requires a minimum of at least 300 seconds for TTL. Because nobody thought anybody would be so stupid facebook stopped working via a lot of web proxy software a few years ago until it was all patched especially for facebook.

Content is marked as being from the year 2000! That's a nasty hack to force web browsers to refresh as fast as they can - a big waste of space that is truly antisocial since there are a lot of broadband plans worldwide that have download limits.

Content that should be able to be cached is marked as non-cacheable! Maybe the page has changed, but has the facebook logo and a pile of other static content been redesigned in the last minute? Who cares - let's force the user to download it all over again and make it tricky for their ISP or company proxy server to cache it all! Let's make them pay more for their internet connection (download limits remember), add a lot of entirely useless repeat traffic to reduce the available bandwidth and increase latency with a pile of pointless host lookups.

Draconian workplace policies that ban facebook are not always there to stop people wasting time, they are sometimes there because facebook wastes a lot of network resources so it comes down to a choice of blocking a site that is buggy by design or paying for a better connection and still having to limit staff facebook use at busy times.

Re:Here's a few big ones for free

Uh... Facebook's DNS TTL is not 30 seconds. It's 1 hour (verified by running dig from hosts on two separate networks.
I just loaded Facebook's homepage twice. Outside of PHP scripts, on the second load every other resource used was either loaded from cache or 304-ed (i.e. browser asked server, and was told that its version was still current). Facebook does not want to waste data, but they don't want browsers to cache dynamic data, either.

Now I'm not saying that none of what you say was ever true, but just hat none of it is true now (outside of there being some stuff being marked as being from Y2k, but that's only stuff which IS dynamic (like the home page, which has a news feed in it).

Re:Here's a few big ones for free

Thanks for the charity! I made $2000 today just for reading a /. post. Once again proving lurking around on /. is always worth it.

Re:Here's a few big ones for free

[dbIII]

Uh... Facebook's DNS TTL is not 30 seconds

Good to see they are finally getting something right instead of what they used to do. Google facebook plus squid to find some blogs listing why their behaviour caused problems - especially the insane TTL that gave you a choice of a fast web proxy or something that would actually let the user get beyond the facebook login.

As for the second point about caching, I'm not suggesting that you are making things up but if they are really doing that now it is something that has changed within the last six weeks or so when I was seeing the logs listing stupid amounts of refreshing with only about ten users on facebook at the time - even the logo was getting reloaded!

Oh, this is going to be good...

[physicsphairy]

Age of the slashdot millionaires.

Oblig. Nethack reference

[Torodung]

Gee, and I thought trolls respected "Elbereth." :^P

Flaw in scheme

[GoodnaGuy]

There is an obvious flaw in this scheme. What if someone at google delibratley wrote a bug? He could tell a friend outside the company who would collect the bounty and then share it with him. They would end up basically paying their programmers to write bugs.

validator.w3.org

[ortholattice]

Here are 34 bugs for you just on the home page. http://validator.w3.org/check?uri=facebook.com&charset=(detect+automatically)&doctype=Inline&group=0

I've got one

[BrokenHalo]

I found a huge bug in the IP address Facebook registered with the DNSs. It should be 127.0.0.1.