Slashdot Mirror
Facebook's Biggest Bounty Yet To Hacker Who Found "Keys To the Kingdom"
mask.of.sanity writes "Facebook has paid out its largest bug bounty of $33,500 for a serious remote code execution vulnerability which also returned Facebook's etc/passwd. The researcher could change Facebook's use of Gmail as an OpenID provider to a URL he controlled, and then sent a request carrying malicious XML code. The Facebook response included its etc/passwd which contained essential login information such as system administrator data and user IDs. The company quickly patched the flaw and awarded him for the proof of concept remote code execution which he quietly disclosed to them."
Stingy reward. That would have fetched quite a bit more on the black/open market.
$33,500? He probably could have gotten WAY more on the black market. This is ultimately the problem with stingy bug bounties.
The best thing about UDP jokes is I don't care if you get them or not
Bummer!
as an american bounties piss me off. There was no bounty for the golden gate bridge, the interstate highway system, or the exploration of the moon. the empire state building had no bounty for successful construction and neither did the hoover dam. These works were constructed by private companies that paid a living wage and considered the welfare of their employees sacrosanct. You hired talented individuals to do a job and feel rewarded and engaged in that job.
instead of hiring more security engineers and challenging developers to write safer stronger code, Facebook has decided to award scraps of cash to talented people who find flaws in their code that could conceivably end their business. They do this to save money on health, dental, vision, and live insurance and to decrease expenditures on their #1 overhead, employees. they get away with this because unscrupulous conglomerates headed by sociopathic billionaires have plunged this economy so far into an intractable recession that any critical analysis of their low wage cubicle farm mentality is tantamount to anticapitalism.
code bugs and exploits are constant. However, just because your team doesnt find a new one every hour doesnt mean they arent working. in turn it doesnt give you the right to commoditize the effort when your competitor in this market would easily base his expenditures on triple your measly reward. employmen should not be a tap that can be turned on and off at the whim of some jackboot in platinum cuffs.
Good people go to bed earlier.
Nice to associate the term "hacker" with "honest" once in a while
nice!!
I'm with you; down with Facebook! I never see my family any more, but their entire lives are broadcast on Facebook.
Bounty. You keep using the word. I don't think it means what you think it means.
The problem with both of these examples is that they're commercial projects, built for a Commercial Reason.
Absolutely! Facebook is a non-commercial project. They have ads; not commercials!
So get back in your kenel runt and go back to school beforethe school of hard knocks gets you.
I can't respond to that because I'm snickering too much.
This coming from someone who has their G+ linked to Slashdot.
You're comparing apples and oranges by suggesting that all paid jobs are equivalent. First of all, I have no idea what the workers on those jobs were paid and I suspect neither do you. So you may have no way to know if the pay was average, above average, or less than average. Since the Hoover Dam was constructed in the middle of the depression, I suspect that the pay was good only in relative terms as getting paid for any job beat getting nothing to not work. 11 people died in the construction of the Golden Gate Bridge. As best I can tell, as much as could be done for safety was done. Only 5 people died in building the Empire State Building. But 112 people died in building the Hoover Dam. Does that fit the bill of "considering the welfare of their employees sacrosanct"? I'm not thinking that it does. I've come to the conclusion that even with the absolute best practices, it is impossible to write any sizable code that can not be exploited, and the bigger the project, the more likely it can be exploited. You are right that Facebook does indeed try to be cheap in some ways with regards to employees (Zuckerberg is a very loud voice in the "We can't function without more H1-B visa employees!" argument) but the problem is that when you are a big website, some guy with time on his hands may try to crack your security for giggles. It's kind of like having a dozen people every day trying to take down and destroy the Golden Gate Bridge than what you imply, which is that Facebook is just too cheap and maybe too stupid to write good code.
What is meant by that is that the quietly disclosed it to Facebook, so that Facebook could fix the problem before it was exploited, rather than going public with it first and putting the pressure on Facebook to fix it quicker.
These things generally get announced after the fact especially if it was disclosed in a bug bounty program because part of the deal is the recognition that the security researcher gets (which is a big deal in the security world from what I can tell).
tl;dr - the quietly refers to the fact that we heard about it after it was fixed and not before.
All /etc/password contains on a properly configured modern system is userid, login name, login shell, and home directory. /etc/shadow is where the hashed passwords are stored, readable only by privileged accounts.
About all /etc/passwd gains an attacker is a list of good login names.
Hail Eris, full of mischief...
E pluribus sanguinem
It's a demonstration of file system traversal vulnerability. Most likely the application is run as under an unprivileged user account which surely does not have access rights to read /etc/shadow, however it has access to own configuration files that may reveal much more information than the hashes of passwords of root. And if Facebook admins have some clue then their own user accounts are not even in the system but on a central authentication server along with the passwords. Anyway, content of /etc/password is more than enough for the demonstration.
That is XML injection not remote code execution.
You send XML with an include this file and the XML parser reads the chosen file.
I expected something like $100K. Would be trivial for them. The could build a whole ecosystem of people trying to report bugs to them.
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
No, you're wrong, bounties and prizes were an integral part of American history.
https://challenge.gov/p/about
http://www.slideshare.net/crai...
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
I'm pretty sure I've seen pictures of the builders of the empire state building sitting on some I-beam with no safety gear or even a rope to hold on to. I somehow doubt construction employers cared more about their employees then than they do today.
A white hat does exactly what he is supposed to do (allegedly) and a company takes the proper route and doesnt sue him into oblivion, takes the proper steps to make a timely fix and gives him a reward. And yet everyone here swings and misses on the topic.
Congrats. This place is the officially one rung above 4chan.
Since when does being a Socialist mean 'someone who has a different opinion than me'?
> Historically speaking, discreetly reporting a vulnerability usually lands on deaf ears.
It might look that way if the only information you were familiar with on the topic was news reports.
The thing is, newsworthy events are by definition NOT the usual events. Based on looking
at airplane flights in the news, you might conclude that plane flights usually end in a crash.
In reality, planes usually don't crash, so you don't see them on the news. 99.98% of flights go well.
In reality, security issues usually aren't ignored, so you don't see them on the news. 99.98% of reported issues are handled.
http://cve.mitre.org/ tracks the resolution of about 20 security issues per day.
For example, I found one could have easily taken down wikipedia and many other top sites, CVE 2012-0206. http://securitytracker.com/id?1026729 . You'll note 2012-0206 was one reported on January 10th. Ten days into the year, over 200 issues were in the resolution pipeline. MOST issues are handled the same way as CVE 2012-0206. Out of the ~8000 issues publicly tracked each year, two or three are grossly mishandled and make the news. What's not in the news are the other 7,998 issues that are timely resolved through the normal process.
Why would you keep your bitcoin after you spent them? Especially on such a thing.
"time to pay off this hitman. better photocopy the cash before I do."
My post above may be slightly unclear, especially not knowing who it's from. I had already moderated the thread so I posted AC.
CVE 2012-0206 is an example of a security issue I discovered and reported. I'm familiar with the usual process because I'm part of the usual process.
CVE 2012-0206 is typical - I reported the issue to the security@ contact. Within a few hours they responded.
They asked if I had further information, if I would hold off on further disclosure for 48 hours so they could test a patch and ship it to their largest users (wikipedia, etc.), and they asked how I'd like to be credited in the CVE and any other public postings.
I told them no problem waiting 48 hours or more, let's get wikipedia and the big hosting companies patched before releasing details, and I asked that they include my web site in posts "Ray Morris from bettercgi.com discovered ...".
24 hours later, servers responsible for several thousand domains had been quietly patched.
46 hours after the report, the fix was on the web site. Two hours after that, the CVE was posted on the security lists.
Over the next few days, distributions released new packages. I think Debian was first. Gentoo was on it within 24 hours, though they needed to discuss the fix https://bugs.gentoo.org/show_bug.cgi?id=CVE-2012-0206
That's what USUALLY happens.
What's wrong with you greedy fucks? $33.5k is chump change to you? You must all be 1%ers.