Facebook's Biggest Bounty Yet To Hacker Who Found "Keys To the Kingdom" 111
mask.of.sanity writes "Facebook has paid out its largest bug bounty of $33,500 for a serious remote code execution vulnerability which also returned Facebook's etc/passwd. The researcher could change Facebook's use of Gmail as an OpenID provider to a URL he controlled, and then sent a request carrying malicious XML code. The Facebook response included its etc/passwd which contained essential login information such as system administrator data and user IDs. The company quickly patched the flaw and awarded him for the proof of concept remote code execution which he quietly disclosed to them."
Wow (Score:5, Insightful)
Stingy reward. That would have fetched quite a bit more on the black/open market.
Re:Crime does pay (Score:5, Insightful)
Props to this guy (Score:5, Insightful)
Re:a pittance in ayn rands america. (Score:3, Insightful)
The Hoover damn did have a bounty that continues to pay out called Electricity that's being sold.
The Empire State Building has a Bounty called Rent and it's still collecting.
The problem with both of these examples is that they're commercial projects, built for a Commercial Reason. Even the Golden Gate Bridge is a commercial project that's still collecting it's fucking bounty of Tolls every god damn day.
As to the Interstate Highway system, that was built for Military Troop Movements and Commerce, it wasn't built for every god damn yahoo that thinks they're a great driver to get out and play with the trucks. Yes I used to drive and averaged over 120,000 miles a year w/o an accident for a decade and the funniest thing is, those trucks everyone screams about pay their share of taxes between fuel and highway (miles driven) to every state they drive in.
So get back in your kenel runt and go back to school beforethe school of hard knocks gets you.
Re: a pittance in ayn rands america. (Score:0, Insightful)
I like Rand.
Oh, to be 15 again...
/etc/password, not /etc/shadow! (Score:4, Insightful)
It's a demonstration of file system traversal vulnerability. Most likely the application is run as under an unprivileged user account which surely does not have access rights to read /etc/shadow, however it has access to own configuration files that may reveal much more information than the hashes of passwords of root. And if Facebook admins have some clue then their own user accounts are not even in the system but on a central authentication server along with the passwords. Anyway, content of /etc/password is more than enough for the demonstration.
Re:a pittance in ayn rands america. (Score:3, Insightful)
You confused bounty with revenue. Bounty is an outgoing expense while revenue is incoming wealth.
The Hoover Dam generates revenue by producing electricity. The Empire State Building generates revenue by renting space. Facebook generates revenue by selling ads and they paid a bounty to a person who found an exploit.
Nimbius seems confused since Facebook pays a salary to their development and maintenance staff and supplements their security practice by paying out bounties for any exploits found in the wild. It's not like Facebook just sits back and depends solely on bounties to keep their infrastructure working. He seems upset that paid staff don't get bonuses for fixing their own mistakes. Somehow he mistakenly believes that by paying bounties, Facebook is slighting their staff.
I agree he has a lot to learn.
Re:Crime does pay (Score:5, Insightful)
$33,500? He probably could have gotten WAY more on the black market. This is ultimately the problem with stingy bug bounties.
How is it a problem?
Its a fact of life that we are daily confronted between the choice to do the right thing and the choice to screw someone over for money.
My neighbor went on vacation, they gave me the keys to the house to water the plants, and bring in her mail. I could turn a tidy profit passing the information that the house is empty to a ring of thieves, steal her identity, and strip her car.
Or I can just water the plants and usually receive a bottle of wine or other small thank you gift.
I had the 'keys to her kingdom', and she repaid my responsible behaviour with a token. Should I complain she's being stingy, and call it a huge problem too?
Re:Crime does pay (Score:5, Insightful)
This. Not everyone worth their salt in security sees financial gain as the sole objective, or there would be no honest work left in the world. Would the GP recommend to a factory worker that if he just stole 10 of the devices on the conveyor a day, or drove the forklift full of pallets to his house, he could make his yearly wage in a week? If you work on the wrong side of the law (in this case, the laws being entirely ethical as so much is at stake), you are not guaranteed to not get caught, nor are you guaranteed a working wage after finding and selling a flaw. Jailtime and honest work in this case are carrot/stick factors deciding how finding the exploit is to the benefit of the discoverer.