Facebook's Biggest Bounty Yet To Hacker Who Found "Keys To the Kingdom" 111
mask.of.sanity writes "Facebook has paid out its largest bug bounty of $33,500 for a serious remote code execution vulnerability which also returned Facebook's etc/passwd. The researcher could change Facebook's use of Gmail as an OpenID provider to a URL he controlled, and then sent a request carrying malicious XML code. The Facebook response included its etc/passwd which contained essential login information such as system administrator data and user IDs. The company quickly patched the flaw and awarded him for the proof of concept remote code execution which he quietly disclosed to them."
Re:a pittance in ayn rands america. (Score:2, Informative)
as an american bounties piss me off. There was no bounty for the golden gate bridge, the interstate highway system, or the exploration of the moon. the empire state building had no bounty for successful construction and neither did the hoover dam. These works were constructed by private companies that paid a living wage and considered the welfare of their employees sacrosanct. You hired talented individuals to do a job and feel rewarded and engaged in that job.
instead of hiring more security engineers and challenging developers to write safer stronger code, Facebook has decided to award scraps of cash to talented people who find flaws in their code that could conceivably end their business. They do this to save money on health, dental, vision, and live insurance and to decrease expenditures on their #1 overhead, employees. they get away with this because unscrupulous conglomerates headed by sociopathic billionaires have plunged this economy so far into an intractable recession that any critical analysis of their low wage cubicle farm mentality is tantamount to anticapitalism.
code bugs and exploits are constant. However, just because your team doesnt find a new one every hour doesnt mean they arent working. in turn it doesnt give you the right to commoditize the effort when your competitor in this market would easily base his expenditures on triple your measly reward. employmen should not be a tap that can be turned on and off at the whim of some jackboot in platinum cuffs.
I don't know what alternate history you've been reading but in no way did the builders of the Hoover Dam or the Empire State Building consider the welfare of their employees sacrosanct. Pull your head out of your ass and go read up about the conditions the labourers on both of those projects suffered through, and the number of deaths involved.
More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.
Re:a pittance in ayn rands america. (Score:5, Informative)
That is complete and utter rubbish. One of the examples you mention, the Hoover dam, had intolerable conditions for the workers on it. They were promised modern homes to live in with their families whilst they worked in a desert in the middle of nowhere. What they got was a shanty town, nicknamed Ragtown, with little to no amenities and very little protection from the heat with vague promises of that the buildings were coming - that lasted years! 16 people died on one day alone from the heat. Can you imagine what the conditions were like on the work site if people were dying in the town? Imagine carrying heavy loads, working in tunnels with no air and no respite from the heat for months on end. The workers went on strike for better conditions, in response they had their meagre pay cut and when they weren't happy with that they were fired en-masse. There were further strikes by their replacements. 112 people died in total on the dam, 42 of which died of suspected carbon monoxide poisoning from working in tunnels with no ventilation which were conveniently listed as pneumonia.
Your description that they "paid a living wage and considered the welfare of their employees sacrosanct" could not be further from the truth.
/etc/password or /etc/shadow? (Score:5, Informative)
All /etc/password contains on a properly configured modern system is userid, login name, login shell, and home directory. /etc/shadow is where the hashed passwords are stored, readable only by privileged accounts.
About all /etc/passwd gains an attacker is a list of good login names.
XML Injection not remote code exec (Score:2, Informative)
That is XML injection not remote code execution.
You send XML with an include this file and the XML parser reads the chosen file.