Facebook's Biggest Bounty Yet To Hacker Who Found "Keys To the Kingdom"

mask.of.sanity writes "Facebook has paid out its largest bug bounty of $33,500 for a serious remote code execution vulnerability which also returned Facebook's etc/passwd. The researcher could change Facebook's use of Gmail as an OpenID provider to a URL he controlled, and then sent a request carrying malicious XML code. The Facebook response included its etc/passwd which contained essential login information such as system administrator data and user IDs. The company quickly patched the flaw and awarded him for the proof of concept remote code execution which he quietly disclosed to them."

Wow

Stingy reward. That would have fetched quite a bit more on the black/open market.

Re:Crime does pay

[sandytaru]

Yes, but now he's got a couple of white hat security firms considering offering him more than whatever he's making now, without the risk of jail time to boot.

Props to this guy

[thedillybar]

Nice to associate the term "hacker" with "honest" once in a while

Re:Crime does pay

[bobbied]

Who says he didn't sell it twice? Of course the black market might put a hit on him for it if they had enough bitcoin...

Re:a pittance in ayn rands america.

[fast+turtle]

The Hoover damn did have a bounty that continues to pay out called Electricity that's being sold.

The Empire State Building has a Bounty called Rent and it's still collecting.

The problem with both of these examples is that they're commercial projects, built for a Commercial Reason. Even the Golden Gate Bridge is a commercial project that's still collecting it's fucking bounty of Tolls every god damn day.

As to the Interstate Highway system, that was built for Military Troop Movements and Commerce, it wasn't built for every god damn yahoo that thinks they're a great driver to get out and play with the trucks. Yes I used to drive and averaged over 120,000 miles a year w/o an accident for a decade and the funniest thing is, those trucks everyone screams about pay their share of taxes between fuel and highway (miles driven) to every state they drive in.

So get back in your kenel runt and go back to school beforethe school of hard knocks gets you.

Re:a pittance in ayn rands america.

[Chameleon+Man]

So? I just don't understand how comments like yours that bash bug bounties get modded up...Bug bounties are a great thing to happen to the industry, at least for huge internet-based companies like Google and Facebook. No matter how many security engineers or developers you hire, your application will not hit the same level of testing as when it is released to the public. Google and Facebook realize this. Bug bounty programs offer legal incentives for ANYONE to make money, deterring blackhats from exploiting vulnerabilities for malicious purposes. If this guy didn't report this vulnerability to Facebook, a shitstorm comparable to the Target fiasco could have ensued if he had sold it to some other medium.

Re:a pittance in ayn rands america.

[joe545]

That is complete and utter rubbish. One of the examples you mention, the Hoover dam, had intolerable conditions for the workers on it. They were promised modern homes to live in with their families whilst they worked in a desert in the middle of nowhere. What they got was a shanty town, nicknamed Ragtown, with little to no amenities and very little protection from the heat with vague promises of that the buildings were coming - that lasted years! 16 people died on one day alone from the heat. Can you imagine what the conditions were like on the work site if people were dying in the town? Imagine carrying heavy loads, working in tunnels with no air and no respite from the heat for months on end. The workers went on strike for better conditions, in response they had their meagre pay cut and when they weren't happy with that they were fired en-masse. There were further strikes by their replacements. 112 people died in total on the dam, 42 of which died of suspected carbon monoxide poisoning from working in tunnels with no ventilation which were conveniently listed as pneumonia.

Your description that they "paid a living wage and considered the welfare of their employees sacrosanct" could not be further from the truth.

/etc/password or /etc/shadow?

[Nimey]

All /etc/password contains on a properly configured modern system is userid, login name, login shell, and home directory. /etc/shadow is where the hashed passwords are stored, readable only by privileged accounts.

About all /etc/passwd gains an attacker is a list of good login names.

/etc/password, not /etc/shadow!

It's a demonstration of file system traversal vulnerability. Most likely the application is run as under an unprivileged user account which surely does not have access rights to read /etc/shadow, however it has access to own configuration files that may reveal much more information than the hashes of passwords of root. And if Facebook admins have some clue then their own user accounts are not even in the system but on a central authentication server along with the passwords. Anyway, content of /etc/password is more than enough for the demonstration.

Re:/etc/password, not /etc/shadow!

[Nimey]

And, let's be honest, /etc/password sounds scary, and is probably the most attention-getting thing this guy could have said to the average person.

Re:Crime does pay

[vux984]

$33,500? He probably could have gotten WAY more on the black market. This is ultimately the problem with stingy bug bounties.

How is it a problem?

Its a fact of life that we are daily confronted between the choice to do the right thing and the choice to screw someone over for money.

My neighbor went on vacation, they gave me the keys to the house to water the plants, and bring in her mail. I could turn a tidy profit passing the information that the house is empty to a ring of thieves, steal her identity, and strip her car.

Or I can just water the plants and usually receive a bottle of wine or other small thank you gift.

  I had the 'keys to her kingdom', and she repaid my responsible behaviour with a token. Should I complain she's being stingy, and call it a huge problem too?

Re:Crime does pay

[HoldmyCauls]

This. Not everyone worth their salt in security sees financial gain as the sole objective, or there would be no honest work left in the world. Would the GP recommend to a factory worker that if he just stole 10 of the devices on the conveyor a day, or drove the forklift full of pallets to his house, he could make his yearly wage in a week? If you work on the wrong side of the law (in this case, the laws being entirely ethical as so much is at stake), you are not guaranteed to not get caught, nor are you guaranteed a working wage after finding and selling a flaw. Jailtime and honest work in this case are carrot/stick factors deciding how finding the exploit is to the benefit of the discoverer.

Re:Crime does pay

[SmlFreshwaterBuffalo]

$33,500? He probably could have gotten WAY more on the black market. This is ultimately the problem with stingy bug bounties.

How is it a problem?

Its a fact of life that we are daily confronted between the choice to do the right thing and the choice to screw someone over for money.

My neighbor went on vacation, they gave me the keys to the house to water the plants, and bring in her mail. I could turn a tidy profit passing the information that the house is empty to a ring of thieves, steal her identity, and strip her car.

Or I can just water the plants and usually receive a bottle of wine or other small thank you gift.

I had the 'keys to her kingdom', and she repaid my responsible behaviour with a token. Should I complain she's being stingy, and call it a huge problem too?

Giving you the 'keys to her kingdom' sounds like a pretty generous repayment for watching over her house, assuming she's at least somewhat attractive.