Facebook's Biggest Bounty Yet To Hacker Who Found "Keys To the Kingdom" 111
mask.of.sanity writes "Facebook has paid out its largest bug bounty of $33,500 for a serious remote code execution vulnerability which also returned Facebook's etc/passwd. The researcher could change Facebook's use of Gmail as an OpenID provider to a URL he controlled, and then sent a request carrying malicious XML code. The Facebook response included its etc/passwd which contained essential login information such as system administrator data and user IDs. The company quickly patched the flaw and awarded him for the proof of concept remote code execution which he quietly disclosed to them."
Re:Crime does pay (Score:4, Funny)
Who says he didn't sell it twice? Of course the black market might put a hit on him for it if they had enough bitcoin...
Re:a pittance in ayn rands america. (Score:3, Funny)
What you say makes sense, but it is far more interesting to think that there are people encased in the concrete, thus that is what I choose to believe.
Re:Crime does pay (Score:4, Funny)
$33,500? He probably could have gotten WAY more on the black market. This is ultimately the problem with stingy bug bounties.
How is it a problem?
Its a fact of life that we are daily confronted between the choice to do the right thing and the choice to screw someone over for money.
My neighbor went on vacation, they gave me the keys to the house to water the plants, and bring in her mail. I could turn a tidy profit passing the information that the house is empty to a ring of thieves, steal her identity, and strip her car.
Or I can just water the plants and usually receive a bottle of wine or other small thank you gift.
I had the 'keys to her kingdom', and she repaid my responsible behaviour with a token. Should I complain she's being stingy, and call it a huge problem too?
Giving you the 'keys to her kingdom' sounds like a pretty generous repayment for watching over her house, assuming she's at least somewhat attractive.