Forgot your password?
typodupeerror
Facebook Security The Almighty Buck IT

Facebook's Biggest Bounty Yet To Hacker Who Found "Keys To the Kingdom" 111

Posted by timothy
from the yeah-let's-talk dept.
mask.of.sanity writes "Facebook has paid out its largest bug bounty of $33,500 for a serious remote code execution vulnerability which also returned Facebook's etc/passwd. The researcher could change Facebook's use of Gmail as an OpenID provider to a URL he controlled, and then sent a request carrying malicious XML code. The Facebook response included its etc/passwd which contained essential login information such as system administrator data and user IDs. The company quickly patched the flaw and awarded him for the proof of concept remote code execution which he quietly disclosed to them."
This discussion has been archived. No new comments can be posted.

Facebook's Biggest Bounty Yet To Hacker Who Found "Keys To the Kingdom"

Comments Filter:
  • Wow (Score:5, Insightful)

    by Anonymous Coward on Thursday January 23, 2014 @10:43AM (#46045739)

    Stingy reward. That would have fetched quite a bit more on the black/open market.

    • by jovius (974690)

      Maybe he also sold on the black market. The data and its structure itself may be interesting.

    • I expected something like $100K. Would be trivial for them. The could build a whole ecosystem of people trying to report bugs to them.

    • by nhat11 (1608159)

      Hey stealing from a bank or selling drugs is profitable too you know.

      • by Wootery (1087023)

        Granted, but the analogy only works if we assume that he found drugs/a bank in his bedroom.

        To make money dealing drugs/breaking into banks, one has to go out and buy drugs/break into banks. In this case, Reginaldo Silva (why his name isn't mentioned anywhere in the summary, or indeed the comments, I don't know) found the weakness, and was only then faced with the choice.

        Ultimately of course you're right. Doubtless one can often make more money by breaking the law. Nothing new there. Still though, there's an

  • by TheNastyInThePasty (2382648) on Thursday January 23, 2014 @10:45AM (#46045755)

    $33,500? He probably could have gotten WAY more on the black market. This is ultimately the problem with stingy bug bounties.

    • Re:Crime does pay (Score:5, Insightful)

      by sandytaru (1158959) on Thursday January 23, 2014 @10:48AM (#46045787) Journal
      Yes, but now he's got a couple of white hat security firms considering offering him more than whatever he's making now, without the risk of jail time to boot.
      • by sl4shd0rk (755837)

        without the risk of jail time to boot.

        That's no guarantee that the next cracker reporting an exploit will be treated the same way. Historically speaking, discreetly reporting a vulnerability usually lands on deaf ears. If you make more noise about it, it you'll most likely end labeled with some malicious tag that the courts love to use to prosecute helpful people for putting a company in a bad light for their lax security.

        • by kasperd (592156)

          Historically speaking, discreetly reporting a vulnerability usually lands on deaf ears. If you make more noise about it, it you'll most likely end labeled with some malicious tag that the courts love to use to prosecute helpful people for putting a company in a bad light for their lax security.

          This has indeed happened multiple times in the past. But none of the cases I know of were from a company, which was offering a bug-bounty. Has any company made such a dirty move after publicly announcing a bug-bounty

          • by CastrTroy (595695)
            I don't know if anybody has been taken to court, but it's not guaranteed that the company with the bug bounty program will pay out. If you want something specific, here's an example involving Facebook [theverge.com].
        • > Historically speaking, discreetly reporting a vulnerability usually lands on deaf ears.

          It might look that way if the only information you were familiar with on the topic was news reports.
          The thing is, newsworthy events are by definition NOT the usual events. Based on looking
          at airplane flights in the news, you might conclude that plane flights usually end in a crash.

          In reality, planes usually don't crash, so you don't see them on the news. 99.98% of flights go well.
          In reality, security issues usually

          • My post above may be slightly unclear, especially not knowing who it's from. I had already moderated the thread so I posted AC.
            CVE 2012-0206 is an example of a security issue I discovered and reported. I'm familiar with the usual process because I'm part of the usual process.

            CVE 2012-0206 is typical - I reported the issue to the security@ contact. Within a few hours they responded.
            They asked if I had further information, if I would hold off on further disclosure for 48 hours so they could test a patch and

      • Re:Crime does pay (Score:5, Insightful)

        by HoldmyCauls (239328) on Thursday January 23, 2014 @01:00PM (#46047291) Journal

        This. Not everyone worth their salt in security sees financial gain as the sole objective, or there would be no honest work left in the world. Would the GP recommend to a factory worker that if he just stole 10 of the devices on the conveyor a day, or drove the forklift full of pallets to his house, he could make his yearly wage in a week? If you work on the wrong side of the law (in this case, the laws being entirely ethical as so much is at stake), you are not guaranteed to not get caught, nor are you guaranteed a working wage after finding and selling a flaw. Jailtime and honest work in this case are carrot/stick factors deciding how finding the exploit is to the benefit of the discoverer.

        • by akinliat (1771190)

          That's not really the point. This sort of security breach could have cost Facebook millions in stock value alone, to say nothing of potential losses in revenue. Paying such a niggardly amount is not only insulting to the value that the man has provided to the company, but it also says a great deal about how Facebook views its own investors, who would bear the burden of a sudden drop in stock value.

    • Re:Crime does pay (Score:5, Insightful)

      by vux984 (928602) on Thursday January 23, 2014 @12:29PM (#46046889)

      $33,500? He probably could have gotten WAY more on the black market. This is ultimately the problem with stingy bug bounties.

      How is it a problem?

      Its a fact of life that we are daily confronted between the choice to do the right thing and the choice to screw someone over for money.

      My neighbor went on vacation, they gave me the keys to the house to water the plants, and bring in her mail. I could turn a tidy profit passing the information that the house is empty to a ring of thieves, steal her identity, and strip her car.

      Or I can just water the plants and usually receive a bottle of wine or other small thank you gift.

        I had the 'keys to her kingdom', and she repaid my responsible behaviour with a token. Should I complain she's being stingy, and call it a huge problem too?

      • by SmlFreshwaterBuffalo (608664) on Thursday January 23, 2014 @01:03PM (#46047335)

        $33,500? He probably could have gotten WAY more on the black market. This is ultimately the problem with stingy bug bounties.

        How is it a problem?

        Its a fact of life that we are daily confronted between the choice to do the right thing and the choice to screw someone over for money.

        My neighbor went on vacation, they gave me the keys to the house to water the plants, and bring in her mail. I could turn a tidy profit passing the information that the house is empty to a ring of thieves, steal her identity, and strip her car.

        Or I can just water the plants and usually receive a bottle of wine or other small thank you gift.

        I had the 'keys to her kingdom', and she repaid my responsible behaviour with a token. Should I complain she's being stingy, and call it a huge problem too?

        Giving you the 'keys to her kingdom' sounds like a pretty generous repayment for watching over her house, assuming she's at least somewhat attractive.

        • by vux984 (928602)

          The 'keys to the kingdom' phrasing was in reference to the article summary which claimed the hacker had the keys to kingdom for facebook... I, perhaps naively, presumed he didn't get into Zuckerberg's pants.

    • by morgauxo (974071)

      Maybe but that's $33,500 in the clear with no worry about getting caught and consequences.

  • by Anonymous Coward

    Bummer!

  • as an american bounties piss me off. There was no bounty for the golden gate bridge, the interstate highway system, or the exploration of the moon. the empire state building had no bounty for successful construction and neither did the hoover dam. These works were constructed by private companies that paid a living wage and considered the welfare of their employees sacrosanct. You hired talented individuals to do a job and feel rewarded and engaged in that job.

    instead of hiring more security enginee
    • Re: (Score:3, Insightful)

      by fast turtle (1118037)

      The Hoover damn did have a bounty that continues to pay out called Electricity that's being sold.

      The Empire State Building has a Bounty called Rent and it's still collecting.

      The problem with both of these examples is that they're commercial projects, built for a Commercial Reason. Even the Golden Gate Bridge is a commercial project that's still collecting it's fucking bounty of Tolls every god damn day.

      As to the Interstate Highway system, that was built for Military Troop Movements and Commerce, it wasn't b

      • by Anonymous Coward

        The Hoover damn did have a bounty that continues to pay out called Electricity that's being sold.

        The Empire State Building has a Bounty called Rent and it's still collecting.

        Bounty. You keep using the word. I don't think it means what you think it means.

        The problem with both of these examples is that they're commercial projects, built for a Commercial Reason.

        Absolutely! Facebook is a non-commercial project. They have ads; not commercials!

        So get back in your kenel runt and go back to school beforethe school of hard knocks gets you.

        I can't respond to that because I'm snickering too much.

      • Re: (Score:3, Insightful)

        You confused bounty with revenue. Bounty is an outgoing expense while revenue is incoming wealth.

        The Hoover Dam generates revenue by producing electricity. The Empire State Building generates revenue by renting space. Facebook generates revenue by selling ads and they paid a bounty to a person who found an exploit.

        Nimbius seems confused since Facebook pays a salary to their development and maintenance staff and supplements their security practice by paying out bounties for any exploits found in the wild.

      • by weilawei (897823)

        As to the Interstate Highway system, that was built for Military Troop Movements and Commerce, it wasn't built for every god damn yahoo that thinks they're a great driver to get out and play with the trucks. Yes I used to drive and averaged over 120,000 miles a year w/o an accident for a decade and the funniest thing is, those trucks everyone screams about pay their share of taxes between fuel and highway (miles driven) to every state they drive in.

        Not sure which states you drive (drove?) through, but I really don't mind truckers. They're usually the most polite drivers on the Interstate around here. It's the assholes in their BMWs doing 20+ MPH faster than the flow of traffic, weaving in and out, when it's busy, that are the most obnoxious.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      as an american bounties piss me off. There was no bounty for the golden gate bridge, the interstate highway system, or the exploration of the moon. the empire state building had no bounty for successful construction and neither did the hoover dam. These works were constructed by private companies that paid a living wage and considered the welfare of their employees sacrosanct. You hired talented individuals to do a job and feel rewarded and engaged in that job.

      instead of hiring more security engineers and challenging developers to write safer stronger code, Facebook has decided to award scraps of cash to talented people who find flaws in their code that could conceivably end their business. They do this to save money on health, dental, vision, and live insurance and to decrease expenditures on their #1 overhead, employees. they get away with this because unscrupulous conglomerates headed by sociopathic billionaires have plunged this economy so far into an intractable recession that any critical analysis of their low wage cubicle farm mentality is tantamount to anticapitalism.

      code bugs and exploits are constant. However, just because your team doesnt find a new one every hour doesnt mean they arent working. in turn it doesnt give you the right to commoditize the effort when your competitor in this market would easily base his expenditures on triple your measly reward. employmen should not be a tap that can be turned on and off at the whim of some jackboot in platinum cuffs.

      I don't know what alternate history you've been reading but in no way did the builders of the Hoover Dam or the Empire State Building consider the welfare of their employees sacrosanct. Pull your head out of your ass and go read up about the conditions the labourers on both of those projects suffered through, and the number of deaths involved.

      More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.

      • Re: (Score:2, Interesting)

        by Antipater (2053064)

        More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.

        Many workers died constructing the dam, yes. But none of them drowned in the concrete pours (they may have drowned in the mixing buckets; I don't know about that), and nobody is entombed in the blockwork. A human body is much weaker than concrete - a body in the mix would have compromised the structural integrity of that area. Even if someone had drowned in a pour, which would have been very difficult given that each pour only raised the concrete level by about an inch, the body would have been pulled ou

        • Re: (Score:3, Funny)

          by Stewie241 (1035724)

          What you say makes sense, but it is far more interesting to think that there are people encased in the concrete, thus that is what I choose to believe.

          • by cellocgw (617879)

            What you say makes sense, but it is far more interesting to think that there are people encased in the concrete, thus that is what I choose to believe.

            Naaah, what's *really* interesting is breaking down an old parking garage concrete floor and discovering a skeleton [wikipedia.org] of a dragon-like beast which never existed on Earth in the first place.

      • More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.

        Apparently that is a myth: http://nsla.nevadaculture.org/... [nevadaculture.org]

    • by Anonymous Coward

      Finding code bugs and potential vulnerabilities that can be exploited is really hard, even with top notch security-aware developers and in-house security engineers. Why not hire bright minds and offer a bounty, too? They're acknowledging reality, which is more than you can say for a lot of conglomerates.

      I like Rand. Don't use her philosophes to make an ill supported point.

    • by Chameleon Man (1304729) on Thursday January 23, 2014 @11:22AM (#46046133)
      So? I just don't understand how comments like yours that bash bug bounties get modded up...Bug bounties are a great thing to happen to the industry, at least for huge internet-based companies like Google and Facebook. No matter how many security engineers or developers you hire, your application will not hit the same level of testing as when it is released to the public. Google and Facebook realize this. Bug bounty programs offer legal incentives for ANYONE to make money, deterring blackhats from exploiting vulnerabilities for malicious purposes. If this guy didn't report this vulnerability to Facebook, a shitstorm comparable to the Target fiasco could have ensued if he had sold it to some other medium.
    • by joe545 (871599) on Thursday January 23, 2014 @11:28AM (#46046209)

      That is complete and utter rubbish. One of the examples you mention, the Hoover dam, had intolerable conditions for the workers on it. They were promised modern homes to live in with their families whilst they worked in a desert in the middle of nowhere. What they got was a shanty town, nicknamed Ragtown, with little to no amenities and very little protection from the heat with vague promises of that the buildings were coming - that lasted years! 16 people died on one day alone from the heat. Can you imagine what the conditions were like on the work site if people were dying in the town? Imagine carrying heavy loads, working in tunnels with no air and no respite from the heat for months on end. The workers went on strike for better conditions, in response they had their meagre pay cut and when they weren't happy with that they were fired en-masse. There were further strikes by their replacements. 112 people died in total on the dam, 42 of which died of suspected carbon monoxide poisoning from working in tunnels with no ventilation which were conveniently listed as pneumonia.

      Your description that they "paid a living wage and considered the welfare of their employees sacrosanct" could not be further from the truth.

      • And the lives of the dozen+ people who died building the Empire State Building and Golden Gate Bridge apparently mean nothing to him.

        When did the mods start +5'ing psychopaths?

        • It sounds more like ignorance than malevolence. If it makes you feel better, the post wasn't at +5 anymore when I read it.
    • You're comparing apples and oranges by suggesting that all paid jobs are equivalent. First of all, I have no idea what the workers on those jobs were paid and I suspect neither do you. So you may have no way to know if the pay was average, above average, or less than average. Since the Hoover Dam was constructed in the middle of the depression, I suspect that the pay was good only in relative terms as getting paid for any job beat getting nothing to not work. 11 people died in the construction of the Go
    • Re: (Score:3, Interesting)

      by KingOfBLASH (620432)

      You should reread Ayn Rand. In Atlas Shrugged, where she creates her "perfect society" people pay each other for everything. When Dagny stays over at John Galt's house and needed to use the stove, she gave him $0.05.

      So Ayn would, I think, be happier to see bounties than Facebook saying, hey, give me this info for free.

      And while they probably do have a security team, by crowdsourcing something like this you allow many, many, many more people to look at Facebook and fix it.

    • You're an idiot. No group of devs, no matter how good they were or how many were hired, ever wrote a single piece of software more complicated than Hello World without bugs in it. Paying for bug reports instead of the standard of ignoring them or prosecuting the reporter is the right way to do things.
      • by tlhIngan (30335)

        No group of devs, no matter how good they were or how many were hired, ever wrote a single piece of software more complicated than Hello World without bugs in it.

        And most "Hello World" programs have bugs in them! There are error conditions that they don't handle and many assumptions few people realize. (Here's a simple one - what happens if there's no stdout? How do you handle that case?)

        Sure the failure of Hello World doesn't really amount to much, but doing it properly takes a lot of extra work.

    • by operagost (62405)

      instead of hiring more security engineers and challenging developers to write safer stronger code

      The fact that someone outside Facebook found a security flaw does not mean that Facebook is deliberately not investing in sufficient personnel. Everyone makes mistakes.

      they get away with this because unscrupulous conglomerates headed by sociopathic billionaires have plunged this economy so far into an intractable recession that any critical analysis of their low wage cubicle farm mentality is tantamount to a

    • by bender647 (705126)
      This is my problem in general with a lot of what we call software "engineering". It isn't engineering. When the price of fixing a problem is just recompiling, as opposed to having a building fall down, it seems nothing is planned well or constructed right the first time.
      • The price of a customer encountering a serious bug can be the loss of that customer to a competitor, schedules for new development slipping to make time to fix the bug, lawsuits over loss of customer data, etc. The rule of thumb that we use is that a bug found by QA might cost 10x as much as if the developer didn't produce buggy code (due to delays in testing, the developer having to diagnose the problem, abandoning their current work to re-immerse themselves in the buggy section of code, etc). A bug found
    • by SQLGuru (980662)

      But a bounty gets multiple people to fill the role of the single hired expert. There is also nothing that precludes the bounty participant from holding another job (potentially as an expert for a company that DOES pay a living wage) and participating in the bounty program. Even if FB does hire experts, having the bounty program allows you to tap the knowledge of far more experts......and we've already seen that even the best can't foresee every possible avenue of attack. The hive mind is smarter than a s

    • No, you're wrong, bounties and prizes were an integral part of American history.

      https://challenge.gov/p/about [challenge.gov]

      http://www.slideshare.net/crai... [slideshare.net]

    • I'm pretty sure I've seen pictures of the builders of the empire state building sitting on some I-beam with no safety gear [google.com] or even a rope to hold on to. I somehow doubt construction employers cared more about their employees then than they do today.
    • by necro81 (917438)

      instead of hiring more security engineers and challenging developers to write safer stronger code, Facebook has decided to award scraps of cash to talented people who find flaws in their code that could conceivably end their business

      I'm not going to debate whether Facebook, et al., exploits its employees - it's a different discussion for another day. I will point out that, even if Facebook tripled its security staff, and tripled the salary and benefits of that staff, vulnerabilities and bugs large and sm

    • by Salgat (1098063)
      Bounties are important because you distribute risk substantially. Instead of relying on your employees to catch every single bug (which is near impossible to be perfect), you make the entire world a potential employee with a reward for anyone who comes across the flaw.
    • God, shut the fuck up. Next time you go on a meandering, bewildering rant like that try to at least make some sort of valid point, you idiot.
  • Props to this guy (Score:5, Insightful)

    by thedillybar (677116) on Thursday January 23, 2014 @10:58AM (#46045889)
    Nice to associate the term "hacker" with "honest" once in a while
  • nice!!
  • by Nimey (114278) on Thursday January 23, 2014 @11:37AM (#46046301) Homepage Journal

    All /etc/password contains on a properly configured modern system is userid, login name, login shell, and home directory. /etc/shadow is where the hashed passwords are stored, readable only by privileged accounts.

    About all /etc/passwd gains an attacker is a list of good login names.

    • by Anonymous Coward on Thursday January 23, 2014 @11:53AM (#46046481)

      It's a demonstration of file system traversal vulnerability. Most likely the application is run as under an unprivileged user account which surely does not have access rights to read /etc/shadow, however it has access to own configuration files that may reveal much more information than the hashes of passwords of root. And if Facebook admins have some clue then their own user accounts are not even in the system but on a central authentication server along with the passwords. Anyway, content of /etc/password is more than enough for the demonstration.

    • by gnu-sucks (561404)

      A good list of usernames is sometimes all you need.

      I purchased a server from Goodwill once, and it just so happened that it had an intact hard disk. The server was running some version of Solaris, and was part of a database for a large fortune 500 company that you have probably heard of. As an interesting "exercise", I decided to put it on my network and hack into it.

      The box had a very bad telnet daemon, and using the simplest of exploits imaginable, I was able to return the contents of arbitrary files and

  • by Anonymous Coward

    That is XML injection not remote code execution.

    You send XML with an include this file and the XML parser reads the chosen file.

  • A white hat does exactly what he is supposed to do (allegedly) and a company takes the proper route and doesnt sue him into oblivion, takes the proper steps to make a timely fix and gives him a reward. And yet everyone here swings and misses on the topic.

    Congrats. This place is the officially one rung above 4chan.

The meta-Turing test counts a thing as intelligent if it seeks to devise and apply Turing tests to objects of its own creation. -- Lew Mammel, Jr.

Working...