Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Facebook Security The Almighty Buck IT

Facebook's Biggest Bounty Yet To Hacker Who Found "Keys To the Kingdom" 111

Posted by timothy from the yeah-let's-talk dept.
mask.of.sanity writes "Facebook has paid out its largest bug bounty of $33,500 for a serious remote code execution vulnerability which also returned Facebook's etc/passwd. The researcher could change Facebook's use of Gmail as an OpenID provider to a URL he controlled, and then sent a request carrying malicious XML code. The Facebook response included its etc/passwd which contained essential login information such as system administrator data and user IDs. The company quickly patched the flaw and awarded him for the proof of concept remote code execution which he quietly disclosed to them."
This discussion has been archived. No new comments can be posted.

Facebook's Biggest Bounty Yet To Hacker Who Found "Keys To the Kingdom" More

Facebook's Biggest Bounty Yet To Hacker Who Found "Keys To the Kingdom"

Comments Filter:

  • Comment removed (Score:1, Interesting)

    by account_deleted ( 4530225 ) on Thursday January 23, 2014 @10:57AM (#46045881)
    Comment removed based on user account deletion

  • Re:a pittance in ayn rands america. (Score:4, Interesting)

    by Chameleon Man ( 1304729 ) on Thursday January 23, 2014 @11:22AM (#46046133)
    So? I just don't understand how comments like yours that bash bug bounties get modded up...Bug bounties are a great thing to happen to the industry, at least for huge internet-based companies like Google and Facebook. No matter how many security engineers or developers you hire, your application will not hit the same level of testing as when it is released to the public. Google and Facebook realize this. Bug bounty programs offer legal incentives for ANYONE to make money, deterring blackhats from exploiting vulnerabilities for malicious purposes. If this guy didn't report this vulnerability to Facebook, a shitstorm comparable to the Target fiasco could have ensued if he had sold it to some other medium.

  • Re:a pittance in ayn rands america. (Score:2, Interesting)

    by Antipater ( 2053064 ) on Thursday January 23, 2014 @11:26AM (#46046171)

    More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.

    Many workers died constructing the dam, yes. But none of them drowned in the concrete pours (they may have drowned in the mixing buckets; I don't know about that), and nobody is entombed in the blockwork. A human body is much weaker than concrete - a body in the mix would have compromised the structural integrity of that area. Even if someone had drowned in a pour, which would have been very difficult given that each pour only raised the concrete level by about an inch, the body would have been pulled out as an unacceptable structural risk.

    http://en.wikipedia.org/wiki/Hoover_Dam#Concrete [wikipedia.org]

  • Re:a pittance in ayn rands america. (Score:3, Interesting)

    by KingOfBLASH ( 620432 ) on Thursday January 23, 2014 @11:35AM (#46046287) Journal

    You should reread Ayn Rand. In Atlas Shrugged, where she creates her "perfect society" people pay each other for everything. When Dagny stays over at John Galt's house and needed to use the stove, she gave him $0.05.

    So Ayn would, I think, be happier to see bounties than Facebook saying, hey, give me this info for free.

    And while they probably do have a security team, by crowdsourcing something like this you allow many, many, many more people to look at Facebook and fix it.

  • Re:/etc/password, not /etc/shadow! (Score:5, Interesting)

    by Nimey ( 114278 ) on Thursday January 23, 2014 @12:04PM (#46046589) Homepage Journal

    And, let's be honest, /etc/password sounds scary, and is probably the most attention-getting thing this guy could have said to the average person.

Slashdot Top Deals

Our OS who art in CPU, UNIX be thy name. Thy programs run, thy syscalls done, In kernel as it is in user!

Close