Slashdot Mirror
Facebook's Biggest Bounty Yet To Hacker Who Found "Keys To the Kingdom"
mask.of.sanity writes "Facebook has paid out its largest bug bounty of $33,500 for a serious remote code execution vulnerability which also returned Facebook's etc/passwd. The researcher could change Facebook's use of Gmail as an OpenID provider to a URL he controlled, and then sent a request carrying malicious XML code. The Facebook response included its etc/passwd which contained essential login information such as system administrator data and user IDs. The company quickly patched the flaw and awarded him for the proof of concept remote code execution which he quietly disclosed to them."
Stingy reward. That would have fetched quite a bit more on the black/open market.
$33,500? He probably could have gotten WAY more on the black market. This is ultimately the problem with stingy bug bounties.
The best thing about UDP jokes is I don't care if you get them or not
Nice to associate the term "hacker" with "honest" once in a while
The Hoover damn did have a bounty that continues to pay out called Electricity that's being sold.
The Empire State Building has a Bounty called Rent and it's still collecting.
The problem with both of these examples is that they're commercial projects, built for a Commercial Reason. Even the Golden Gate Bridge is a commercial project that's still collecting it's fucking bounty of Tolls every god damn day.
As to the Interstate Highway system, that was built for Military Troop Movements and Commerce, it wasn't built for every god damn yahoo that thinks they're a great driver to get out and play with the trucks. Yes I used to drive and averaged over 120,000 miles a year w/o an accident for a decade and the funniest thing is, those trucks everyone screams about pay their share of taxes between fuel and highway (miles driven) to every state they drive in.
So get back in your kenel runt and go back to school beforethe school of hard knocks gets you.
Mod me up/Mod me down: I wont frown as I've no crown
as an american bounties piss me off. There was no bounty for the golden gate bridge, the interstate highway system, or the exploration of the moon. the empire state building had no bounty for successful construction and neither did the hoover dam. These works were constructed by private companies that paid a living wage and considered the welfare of their employees sacrosanct. You hired talented individuals to do a job and feel rewarded and engaged in that job.
instead of hiring more security engineers and challenging developers to write safer stronger code, Facebook has decided to award scraps of cash to talented people who find flaws in their code that could conceivably end their business. They do this to save money on health, dental, vision, and live insurance and to decrease expenditures on their #1 overhead, employees. they get away with this because unscrupulous conglomerates headed by sociopathic billionaires have plunged this economy so far into an intractable recession that any critical analysis of their low wage cubicle farm mentality is tantamount to anticapitalism.
code bugs and exploits are constant. However, just because your team doesnt find a new one every hour doesnt mean they arent working. in turn it doesnt give you the right to commoditize the effort when your competitor in this market would easily base his expenditures on triple your measly reward. employmen should not be a tap that can be turned on and off at the whim of some jackboot in platinum cuffs.
I don't know what alternate history you've been reading but in no way did the builders of the Hoover Dam or the Empire State Building consider the welfare of their employees sacrosanct. Pull your head out of your ass and go read up about the conditions the labourers on both of those projects suffered through, and the number of deaths involved.
More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.
So? I just don't understand how comments like yours that bash bug bounties get modded up...Bug bounties are a great thing to happen to the industry, at least for huge internet-based companies like Google and Facebook. No matter how many security engineers or developers you hire, your application will not hit the same level of testing as when it is released to the public. Google and Facebook realize this. Bug bounty programs offer legal incentives for ANYONE to make money, deterring blackhats from exploiting vulnerabilities for malicious purposes. If this guy didn't report this vulnerability to Facebook, a shitstorm comparable to the Target fiasco could have ensued if he had sold it to some other medium.
That is complete and utter rubbish. One of the examples you mention, the Hoover dam, had intolerable conditions for the workers on it. They were promised modern homes to live in with their families whilst they worked in a desert in the middle of nowhere. What they got was a shanty town, nicknamed Ragtown, with little to no amenities and very little protection from the heat with vague promises of that the buildings were coming - that lasted years! 16 people died on one day alone from the heat. Can you imagine what the conditions were like on the work site if people were dying in the town? Imagine carrying heavy loads, working in tunnels with no air and no respite from the heat for months on end. The workers went on strike for better conditions, in response they had their meagre pay cut and when they weren't happy with that they were fired en-masse. There were further strikes by their replacements. 112 people died in total on the dam, 42 of which died of suspected carbon monoxide poisoning from working in tunnels with no ventilation which were conveniently listed as pneumonia.
Your description that they "paid a living wage and considered the welfare of their employees sacrosanct" could not be further from the truth.
You're comparing apples and oranges by suggesting that all paid jobs are equivalent. First of all, I have no idea what the workers on those jobs were paid and I suspect neither do you. So you may have no way to know if the pay was average, above average, or less than average. Since the Hoover Dam was constructed in the middle of the depression, I suspect that the pay was good only in relative terms as getting paid for any job beat getting nothing to not work. 11 people died in the construction of the Golden Gate Bridge. As best I can tell, as much as could be done for safety was done. Only 5 people died in building the Empire State Building. But 112 people died in building the Hoover Dam. Does that fit the bill of "considering the welfare of their employees sacrosanct"? I'm not thinking that it does. I've come to the conclusion that even with the absolute best practices, it is impossible to write any sizable code that can not be exploited, and the bigger the project, the more likely it can be exploited. You are right that Facebook does indeed try to be cheap in some ways with regards to employees (Zuckerberg is a very loud voice in the "We can't function without more H1-B visa employees!" argument) but the problem is that when you are a big website, some guy with time on his hands may try to crack your security for giggles. It's kind of like having a dozen people every day trying to take down and destroy the Golden Gate Bridge than what you imply, which is that Facebook is just too cheap and maybe too stupid to write good code.
What is meant by that is that the quietly disclosed it to Facebook, so that Facebook could fix the problem before it was exploited, rather than going public with it first and putting the pressure on Facebook to fix it quicker.
These things generally get announced after the fact especially if it was disclosed in a bug bounty program because part of the deal is the recognition that the security researcher gets (which is a big deal in the security world from what I can tell).
tl;dr - the quietly refers to the fact that we heard about it after it was fixed and not before.
You should reread Ayn Rand. In Atlas Shrugged, where she creates her "perfect society" people pay each other for everything. When Dagny stays over at John Galt's house and needed to use the stove, she gave him $0.05.
So Ayn would, I think, be happier to see bounties than Facebook saying, hey, give me this info for free.
And while they probably do have a security team, by crowdsourcing something like this you allow many, many, many more people to look at Facebook and fix it.
All /etc/password contains on a properly configured modern system is userid, login name, login shell, and home directory. /etc/shadow is where the hashed passwords are stored, readable only by privileged accounts.
About all /etc/passwd gains an attacker is a list of good login names.
Hail Eris, full of mischief...
E pluribus sanguinem
It's a demonstration of file system traversal vulnerability. Most likely the application is run as under an unprivileged user account which surely does not have access rights to read /etc/shadow, however it has access to own configuration files that may reveal much more information than the hashes of passwords of root. And if Facebook admins have some clue then their own user accounts are not even in the system but on a central authentication server along with the passwords. Anyway, content of /etc/password is more than enough for the demonstration.
This is my problem in general with a lot of what we call software "engineering". It isn't engineering. When the price of fixing a problem is just recompiling, as opposed to having a building fall down, it seems nothing is planned well or constructed right the first time.
You confused bounty with revenue. Bounty is an outgoing expense while revenue is incoming wealth.
The Hoover Dam generates revenue by producing electricity. The Empire State Building generates revenue by renting space. Facebook generates revenue by selling ads and they paid a bounty to a person who found an exploit.
Nimbius seems confused since Facebook pays a salary to their development and maintenance staff and supplements their security practice by paying out bounties for any exploits found in the wild. It's not like Facebook just sits back and depends solely on bounties to keep their infrastructure working. He seems upset that paid staff don't get bonuses for fixing their own mistakes. Somehow he mistakenly believes that by paying bounties, Facebook is slighting their staff.
I agree he has a lot to learn.
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
What you say makes sense, but it is far more interesting to think that there are people encased in the concrete, thus that is what I choose to believe.
That is XML injection not remote code execution.
You send XML with an include this file and the XML parser reads the chosen file.
In 1986, Tom King, Director of the University of Nevada Oral History Program, interviewed several men who had labored on the construction of Hoover Dam that told him a number of bodies lie buried in it. "These stories were made somewhat plausible by the authority of the tellers, themselves dam workers, and by our knowledge that building the dam was indeed an extremely hazardous enterprise," according to King, "however, further questioning revealed that none of the storytellers had actually witnessed such a tragedy or knew the identity of any of the victims. This was not surprising: the tellers believed what they were saying, but their stories were folklore--there are no bodies in the dam."
Actually, the dam was poured in relatively small sections, so about all a fallen worker had to do to get his face clear of the rising concrete was to stand up. Officially, 96 dam workers died of various causes, and 112 persons unofficially, but none were permanently buried in concrete.
The closest any worker came to being buried was on November 8, 1933 when the wall of a form collapsed sending hundreds of tons of recently-poured concrete tumbling down the face of the dam. One worker below narrowly escaped with his life, however W.A. Jameson was not so lucky and was covered by the rain of debris. Jameson was the only man ever buried in Hoover Dam, and he was interred for just 16 hours before his body was recovered. His remains were shipped to Rock Hill, South Carolina, where a brother and sister lived.
A structural engineer interviewed for a Discovery Channel documentary on Hoover Dam argued that it would be sheer folly to leave a worker buried in the dam. A decomposing body would jeopardize the dam's structural integrity and risk the multi-million dollar project including property and lives downstream on the Colorado River.