Forgot your password?
typodupeerror
Facebook Security The Almighty Buck IT

Facebook's Biggest Bounty Yet To Hacker Who Found "Keys To the Kingdom" 111

Posted by timothy
from the yeah-let's-talk dept.
mask.of.sanity writes "Facebook has paid out its largest bug bounty of $33,500 for a serious remote code execution vulnerability which also returned Facebook's etc/passwd. The researcher could change Facebook's use of Gmail as an OpenID provider to a URL he controlled, and then sent a request carrying malicious XML code. The Facebook response included its etc/passwd which contained essential login information such as system administrator data and user IDs. The company quickly patched the flaw and awarded him for the proof of concept remote code execution which he quietly disclosed to them."
This discussion has been archived. No new comments can be posted.

Facebook's Biggest Bounty Yet To Hacker Who Found "Keys To the Kingdom"

Comments Filter:
  • by nimbius (983462) on Thursday January 23, 2014 @10:57AM (#46045881) Homepage
    as an american bounties piss me off. There was no bounty for the golden gate bridge, the interstate highway system, or the exploration of the moon. the empire state building had no bounty for successful construction and neither did the hoover dam. These works were constructed by private companies that paid a living wage and considered the welfare of their employees sacrosanct. You hired talented individuals to do a job and feel rewarded and engaged in that job.

    instead of hiring more security engineers and challenging developers to write safer stronger code, Facebook has decided to award scraps of cash to talented people who find flaws in their code that could conceivably end their business. They do this to save money on health, dental, vision, and live insurance and to decrease expenditures on their #1 overhead, employees. they get away with this because unscrupulous conglomerates headed by sociopathic billionaires have plunged this economy so far into an intractable recession that any critical analysis of their low wage cubicle farm mentality is tantamount to anticapitalism.

    code bugs and exploits are constant. However, just because your team doesnt find a new one every hour doesnt mean they arent working. in turn it doesnt give you the right to commoditize the effort when your competitor in this market would easily base his expenditures on triple your measly reward. employmen should not be a tap that can be turned on and off at the whim of some jackboot in platinum cuffs.
  • by Chameleon Man (1304729) on Thursday January 23, 2014 @11:22AM (#46046133)
    So? I just don't understand how comments like yours that bash bug bounties get modded up...Bug bounties are a great thing to happen to the industry, at least for huge internet-based companies like Google and Facebook. No matter how many security engineers or developers you hire, your application will not hit the same level of testing as when it is released to the public. Google and Facebook realize this. Bug bounty programs offer legal incentives for ANYONE to make money, deterring blackhats from exploiting vulnerabilities for malicious purposes. If this guy didn't report this vulnerability to Facebook, a shitstorm comparable to the Target fiasco could have ensued if he had sold it to some other medium.
  • by Antipater (2053064) on Thursday January 23, 2014 @11:26AM (#46046171)

    More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.

    Many workers died constructing the dam, yes. But none of them drowned in the concrete pours (they may have drowned in the mixing buckets; I don't know about that), and nobody is entombed in the blockwork. A human body is much weaker than concrete - a body in the mix would have compromised the structural integrity of that area. Even if someone had drowned in a pour, which would have been very difficult given that each pour only raised the concrete level by about an inch, the body would have been pulled out as an unacceptable structural risk.

    http://en.wikipedia.org/wiki/Hoover_Dam#Concrete [wikipedia.org]

  • by KingOfBLASH (620432) on Thursday January 23, 2014 @11:35AM (#46046287) Journal

    You should reread Ayn Rand. In Atlas Shrugged, where she creates her "perfect society" people pay each other for everything. When Dagny stays over at John Galt's house and needed to use the stove, she gave him $0.05.

    So Ayn would, I think, be happier to see bounties than Facebook saying, hey, give me this info for free.

    And while they probably do have a security team, by crowdsourcing something like this you allow many, many, many more people to look at Facebook and fix it.

  • by Nimey (114278) on Thursday January 23, 2014 @12:04PM (#46046589) Homepage Journal

    And, let's be honest, /etc/password sounds scary, and is probably the most attention-getting thing this guy could have said to the average person.

No amount of genius can overcome a preoccupation with detail.

Working...