Facebook's Biggest Bounty Yet To Hacker Who Found "Keys To the Kingdom"

mask.of.sanity writes "Facebook has paid out its largest bug bounty of $33,500 for a serious remote code execution vulnerability which also returned Facebook's etc/passwd. The researcher could change Facebook's use of Gmail as an OpenID provider to a URL he controlled, and then sent a request carrying malicious XML code. The Facebook response included its etc/passwd which contained essential login information such as system administrator data and user IDs. The company quickly patched the flaw and awarded him for the proof of concept remote code execution which he quietly disclosed to them."

Wow

[Anonymous Coward]

Stingy reward. That would have fetched quite a bit more on the black/open market.

Re:

[jovius]

Maybe he also sold on the black market. The data and its structure itself may be interesting.

Re:

[blackicye]

Depends on the risk/reward analysis. Would you take a "double your lottery win or go to prison for 3 years" gamble? I wouldn't.

I think your estimate for the black market price of an exploit of this type might be way, way too low.

when i read the headline...

[schlachter]

I expected something like $100K. Would be trivial for them. The could build a whole ecosystem of people trying to report bugs to them.

Re:

[nhat11]

Hey stealing from a bank or selling drugs is profitable too you know.

Re:

[Wootery]

Granted, but the analogy only works if we assume that he found drugs/a bank in his bedroom.

To make money dealing drugs/breaking into banks, one has to go out and buy drugs/break into banks. In this case, Reginaldo Silva (why his name isn't mentioned anywhere in the summary, or indeed the comments, I don't know) found the weakness, and was only then faced with the choice.

Ultimately of course you're right. Doubtless one can often make more money by breaking the law. Nothing new there. Still though, there's an

Crime does pay

[TheNastyInThePasty]

$33,500? He probably could have gotten WAY more on the black market. This is ultimately the problem with stingy bug bounties.

Re:Crime does pay

[sandytaru]

Yes, but now he's got a couple of white hat security firms considering offering him more than whatever he's making now, without the risk of jail time to boot.

Re:Crime does pay

[bobbied]

Who says he didn't sell it twice? Of course the black market might put a hit on him for it if they had enough bitcoin...

Re:

[PRMan]

Documenting your hit payment with bitcoin is an incredibly stupid thing to do. It's only anonymous until they look though your PC.

I'm curious

[nobuddy]

Why would you keep your bitcoin after you spent them? Especially on such a thing.

"time to pay off this hitman. better photocopy the cash before I do."

Re:

[bobbied]

It's not the coin really, it's the wallet keys. The Transaction will be hashed in the coin for life and tied to the wallet that spent it.

Having a stash of bitcoins on your computer doesn't mean they where ever yours. You could have been mining or something.

Re:

[Wootery]

the black market might put a hit on him

If he sold it without taking proper steps to hide his identity, sure. The man's a security expert, though, so...

Re:

[bobbied]

the black market might put a hit on him

If he sold it without taking proper steps to hide his identity, sure. The man's a security expert, though, so...

Well, this "security expert" just took a highly publicized payment from Facebook for showing them the exploit.

I'm thinking "security expert" in this case might not mean what you think it means...

Re:

[Wootery]

I'm thinking "security expert" in this case might not mean what you think it means...

If he wanted to have it both ways, he could've sold it on the black market 6 months ago, with a disclaimer saying I plan to tell Facebook about the exploit, in 6 months time.

Of course, if the buyer then actually uses the exploit, Facebook might discover and fix the problem ahead of time, which would be a problem.

I wonder if security researchers ever buy exploits on the black market, then write papers about them and disclose responsibly...

Re:

[Xacid]

And this is why we can't have nice things.

Re:

[sl4shd0rk]

without the risk of jail time to boot.

That's no guarantee that the next cracker reporting an exploit will be treated the same way. Historically speaking, discreetly reporting a vulnerability usually lands on deaf ears. If you make more noise about it, it you'll most likely end labeled with some malicious tag that the courts love to use to prosecute helpful people for putting a company in a bad light for their lax security.

Re:

[kasperd]

Historically speaking, discreetly reporting a vulnerability usually lands on deaf ears. If you make more noise about it, it you'll most likely end labeled with some malicious tag that the courts love to use to prosecute helpful people for putting a company in a bad light for their lax security.

This has indeed happened multiple times in the past. But none of the cases I know of were from a company, which was offering a bug-bounty. Has any company made such a dirty move after publicly announcing a bug-bounty

Re:

[CastrTroy]

I don't know if anybody has been taken to court, but it's not guaranteed that the company with the bug bounty program will pay out. If you want something specific, here's an example involving Facebook [theverge.com].

like planes "usually" crash. 99.9% of the time, no

[Anonymous Coward]

> Historically speaking, discreetly reporting a vulnerability usually lands on deaf ears.

It might look that way if the only information you were familiar with on the topic was news reports.
The thing is, newsworthy events are by definition NOT the usual events. Based on looking
at airplane flights in the news, you might conclude that plane flights usually end in a crash.

In reality, planes usually don't crash, so you don't see them on the news. 99.98% of flights go well.
In reality, security issues usually

PS I'm the reporter, AC to preserve moderation

[Anonymous Coward]

My post above may be slightly unclear, especially not knowing who it's from. I had already moderated the thread so I posted AC.
CVE 2012-0206 is an example of a security issue I discovered and reported. I'm familiar with the usual process because I'm part of the usual process.

CVE 2012-0206 is typical - I reported the issue to the security@ contact. Within a few hours they responded.
They asked if I had further information, if I would hold off on further disclosure for 48 hours so they could test a patch and

Re:Crime does pay

[HoldmyCauls]

This. Not everyone worth their salt in security sees financial gain as the sole objective, or there would be no honest work left in the world. Would the GP recommend to a factory worker that if he just stole 10 of the devices on the conveyor a day, or drove the forklift full of pallets to his house, he could make his yearly wage in a week? If you work on the wrong side of the law (in this case, the laws being entirely ethical as so much is at stake), you are not guaranteed to not get caught, nor are you guaranteed a working wage after finding and selling a flaw. Jailtime and honest work in this case are carrot/stick factors deciding how finding the exploit is to the benefit of the discoverer.

Re:

[akinliat]

That's not really the point. This sort of security breach could have cost Facebook millions in stock value alone, to say nothing of potential losses in revenue. Paying such a niggardly amount is not only insulting to the value that the man has provided to the company, but it also says a great deal about how Facebook views its own investors, who would bear the burden of a sudden drop in stock value.

Re:Crime does pay

[vux984]

$33,500? He probably could have gotten WAY more on the black market. This is ultimately the problem with stingy bug bounties.

How is it a problem?

Its a fact of life that we are daily confronted between the choice to do the right thing and the choice to screw someone over for money.

My neighbor went on vacation, they gave me the keys to the house to water the plants, and bring in her mail. I could turn a tidy profit passing the information that the house is empty to a ring of thieves, steal her identity, and strip her car.

Or I can just water the plants and usually receive a bottle of wine or other small thank you gift.

  I had the 'keys to her kingdom', and she repaid my responsible behaviour with a token. Should I complain she's being stingy, and call it a huge problem too?

Re:Crime does pay

[SmlFreshwaterBuffalo]

$33,500? He probably could have gotten WAY more on the black market. This is ultimately the problem with stingy bug bounties.

How is it a problem?

Its a fact of life that we are daily confronted between the choice to do the right thing and the choice to screw someone over for money.

My neighbor went on vacation, they gave me the keys to the house to water the plants, and bring in her mail. I could turn a tidy profit passing the information that the house is empty to a ring of thieves, steal her identity, and strip her car.

Or I can just water the plants and usually receive a bottle of wine or other small thank you gift.

I had the 'keys to her kingdom', and she repaid my responsible behaviour with a token. Should I complain she's being stingy, and call it a huge problem too?

Giving you the 'keys to her kingdom' sounds like a pretty generous repayment for watching over her house, assuming she's at least somewhat attractive.

Re:

[vux984]

The 'keys to the kingdom' phrasing was in reference to the article summary which claimed the hacker had the keys to kingdom for facebook... I, perhaps naively, presumed he didn't get into Zuckerberg's pants.

Re:

[morgauxo]

Maybe but that's $33,500 in the clear with no worry about getting caught and consequences.

NSA's response:

[Anonymous Coward]

Bummer!

Re:

[Stewie241]

What is meant by that is that the quietly disclosed it to Facebook, so that Facebook could fix the problem before it was exploited, rather than going public with it first and putting the pressure on Facebook to fix it quicker.

These things generally get announced after the fact especially if it was disclosed in a bug bounty program because part of the deal is the recognition that the security researcher gets (which is a big deal in the security world from what I can tell).

tl;dr - the quietly refers to the fa

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[fast turtle]

The Hoover damn did have a bounty that continues to pay out called Electricity that's being sold.

The Empire State Building has a Bounty called Rent and it's still collecting.

The problem with both of these examples is that they're commercial projects, built for a Commercial Reason. Even the Golden Gate Bridge is a commercial project that's still collecting it's fucking bounty of Tolls every god damn day.

As to the Interstate Highway system, that was built for Military Troop Movements and Commerce, it wasn't b

Bounty

[Anonymous Coward]

The Hoover damn did have a bounty that continues to pay out called Electricity that's being sold.

The Empire State Building has a Bounty called Rent and it's still collecting.

Bounty. You keep using the word. I don't think it means what you think it means.

The problem with both of these examples is that they're commercial projects, built for a Commercial Reason.

Absolutely! Facebook is a non-commercial project. They have ads; not commercials!

So get back in your kenel runt and go back to school beforethe school of hard knocks gets you.

I can't respond to that because I'm snickering too much.

Re:

[Bill_the_Engineer]

You confused bounty with revenue. Bounty is an outgoing expense while revenue is incoming wealth.

The Hoover Dam generates revenue by producing electricity. The Empire State Building generates revenue by renting space. Facebook generates revenue by selling ads and they paid a bounty to a person who found an exploit.

Nimbius seems confused since Facebook pays a salary to their development and maintenance staff and supplements their security practice by paying out bounties for any exploits found in the wild.

Re:

[weilawei]

As to the Interstate Highway system, that was built for Military Troop Movements and Commerce, it wasn't built for every god damn yahoo that thinks they're a great driver to get out and play with the trucks. Yes I used to drive and averaged over 120,000 miles a year w/o an accident for a decade and the funniest thing is, those trucks everyone screams about pay their share of taxes between fuel and highway (miles driven) to every state they drive in.

Not sure which states you drive (drove?) through, but I really don't mind truckers. They're usually the most polite drivers on the Interstate around here. It's the assholes in their BMWs doing 20+ MPH faster than the flow of traffic, weaving in and out, when it's busy, that are the most obnoxious.

Re:

[Anonymous Coward]

as an american bounties piss me off. There was no bounty for the golden gate bridge, the interstate highway system, or the exploration of the moon. the empire state building had no bounty for successful construction and neither did the hoover dam. These works were constructed by private companies that paid a living wage and considered the welfare of their employees sacrosanct. You hired talented individuals to do a job and feel rewarded and engaged in that job.

instead of hiring more security engineers and challenging developers to write safer stronger code, Facebook has decided to award scraps of cash to talented people who find flaws in their code that could conceivably end their business. They do this to save money on health, dental, vision, and live insurance and to decrease expenditures on their #1 overhead, employees. they get away with this because unscrupulous conglomerates headed by sociopathic billionaires have plunged this economy so far into an intractable recession that any critical analysis of their low wage cubicle farm mentality is tantamount to anticapitalism.

code bugs and exploits are constant. However, just because your team doesnt find a new one every hour doesnt mean they arent working. in turn it doesnt give you the right to commoditize the effort when your competitor in this market would easily base his expenditures on triple your measly reward. employmen should not be a tap that can be turned on and off at the whim of some jackboot in platinum cuffs.

I don't know what alternate history you've been reading but in no way did the builders of the Hoover Dam or the Empire State Building consider the welfare of their employees sacrosanct. Pull your head out of your ass and go read up about the conditions the labourers on both of those projects suffered through, and the number of deaths involved.

More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.

Re:

[weilawei]

Good point. Urban myth [nevadaculture.org].

In 1986, Tom King, Director of the University of Nevada Oral History Program, interviewed several men who had labored on the construction of Hoover Dam that told him a number of bodies lie buried in it. "These stories were made somewhat plausible by the authority of the tellers, themselves dam workers, and by our knowledge that building the dam was indeed an extremely hazardous enterprise," according to King, "however, further questioning revealed that none of the storytellers had actually witnessed such a tragedy or knew the identity of any of the victims. This was not surprising: the tellers believed what they were saying, but their stories were folklore--there are no bodies in the dam."

Actually, the dam was poured in relatively small sections, so about all a fallen worker had to do to get his face clear of the rising concrete was to stand up. Officially, 96 dam workers died of various causes, and 112 persons unofficially, but none were permanently buried in concrete.

The closest any worker came to being buried was on November 8, 1933 when the wall of a form collapsed sending hundreds of tons of recently-poured concrete tumbling down the face of the dam. One worker below narrowly escaped with his life, however W.A. Jameson was not so lucky and was covered by the rain of debris. Jameson was the only man ever buried in Hoover Dam, and he was interred for just 16 hours before his body was recovered. His remains were shipped to Rock Hill, South Carolina, where a brother and sister lived.

A structural engineer interviewed for a Discovery Channel documentary on Hoover Dam argued that it would be sheer folly to leave a worker buried in the dam. A decomposing body would jeopardize the dam's structural integrity and risk the multi-million dollar project including property and lives downstream on the Colorado River.

Re:

[Antipater]

More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.

Many workers died constructing the dam, yes. But none of them drowned in the concrete pours (they may have drowned in the mixing buckets; I don't know about that), and nobody is entombed in the blockwork. A human body is much weaker than concrete - a body in the mix would have compromised the structural integrity of that area. Even if someone had drowned in a pour, which would have been very difficult given that each pour only raised the concrete level by about an inch, the body would have been pulled ou

Re:

[Stewie241]

What you say makes sense, but it is far more interesting to think that there are people encased in the concrete, thus that is what I choose to believe.

Re:

[cellocgw]

What you say makes sense, but it is far more interesting to think that there are people encased in the concrete, thus that is what I choose to believe.

Naaah, what's *really* interesting is breaking down an old parking garage concrete floor and discovering a skeleton [wikipedia.org] of a dragon-like beast which never existed on Earth in the first place.

Re:

[ustolemyname]

More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.

Apparently that is a myth: http://nsla.nevadaculture.org/... [nevadaculture.org]

Re: a pittance in ayn rands america.

[Anonymous Coward]

Finding code bugs and potential vulnerabilities that can be exploited is really hard, even with top notch security-aware developers and in-house security engineers. Why not hire bright minds and offer a bounty, too? They're acknowledging reality, which is more than you can say for a lot of conglomerates.

I like Rand. Don't use her philosophes to make an ill supported point.

Re:

[cellocgw]

I like Rand.

Oh, to be 15 again...

Me, I prefer int(rand)

Re:a pittance in ayn rands america.

[Chameleon Man]

So? I just don't understand how comments like yours that bash bug bounties get modded up...Bug bounties are a great thing to happen to the industry, at least for huge internet-based companies like Google and Facebook. No matter how many security engineers or developers you hire, your application will not hit the same level of testing as when it is released to the public. Google and Facebook realize this. Bug bounty programs offer legal incentives for ANYONE to make money, deterring blackhats from exploiting vulnerabilities for malicious purposes. If this guy didn't report this vulnerability to Facebook, a shitstorm comparable to the Target fiasco could have ensued if he had sold it to some other medium.

Re:a pittance in ayn rands america.

[joe545]

That is complete and utter rubbish. One of the examples you mention, the Hoover dam, had intolerable conditions for the workers on it. They were promised modern homes to live in with their families whilst they worked in a desert in the middle of nowhere. What they got was a shanty town, nicknamed Ragtown, with little to no amenities and very little protection from the heat with vague promises of that the buildings were coming - that lasted years! 16 people died on one day alone from the heat. Can you imagine what the conditions were like on the work site if people were dying in the town? Imagine carrying heavy loads, working in tunnels with no air and no respite from the heat for months on end. The workers went on strike for better conditions, in response they had their meagre pay cut and when they weren't happy with that they were fired en-masse. There were further strikes by their replacements. 112 people died in total on the dam, 42 of which died of suspected carbon monoxide poisoning from working in tunnels with no ventilation which were conveniently listed as pneumonia.

Your description that they "paid a living wage and considered the welfare of their employees sacrosanct" could not be further from the truth.

Re:

[bill_mcgonigle]

And the lives of the dozen+ people who died building the Empire State Building and Golden Gate Bridge apparently mean nothing to him.

When did the mods start +5'ing psychopaths?

Re:

[khellendros1984]

It sounds more like ignorance than malevolence. If it makes you feel better, the post wasn't at +5 anymore when I read it.

Re:

[bill_mcgonigle]

Around time the latter wised up and started calling themselves "libertarians".

Beautiful Orwellian Doublespeak, when those who eschew violence are the psychopaths and the bombers of cities are the peacemakers.

Oh, no, you're just a fool.

Apples and oranges

[Zontar_Thing_From_Ve]

You're comparing apples and oranges by suggesting that all paid jobs are equivalent. First of all, I have no idea what the workers on those jobs were paid and I suspect neither do you. So you may have no way to know if the pay was average, above average, or less than average. Since the Hoover Dam was constructed in the middle of the depression, I suspect that the pay was good only in relative terms as getting paid for any job beat getting nothing to not work. 11 people died in the construction of the Go

Re:

[KingOfBLASH]

You should reread Ayn Rand. In Atlas Shrugged, where she creates her "perfect society" people pay each other for everything. When Dagny stays over at John Galt's house and needed to use the stove, she gave him $0.05.

So Ayn would, I think, be happier to see bounties than Facebook saying, hey, give me this info for free.

And while they probably do have a security team, by crowdsourcing something like this you allow many, many, many more people to look at Facebook and fix it.

Re:

[The Mighty Buzzard]

You're an idiot. No group of devs, no matter how good they were or how many were hired, ever wrote a single piece of software more complicated than Hello World without bugs in it. Paying for bug reports instead of the standard of ignoring them or prosecuting the reporter is the right way to do things.

Re:

[tlhIngan]

No group of devs, no matter how good they were or how many were hired, ever wrote a single piece of software more complicated than Hello World without bugs in it.

And most "Hello World" programs have bugs in them! There are error conditions that they don't handle and many assumptions few people realize. (Here's a simple one - what happens if there's no stdout? How do you handle that case?)

Sure the failure of Hello World doesn't really amount to much, but doing it properly takes a lot of extra work.

Re:

[operagost]

instead of hiring more security engineers and challenging developers to write safer stronger code

The fact that someone outside Facebook found a security flaw does not mean that Facebook is deliberately not investing in sufficient personnel. Everyone makes mistakes.

they get away with this because unscrupulous conglomerates headed by sociopathic billionaires have plunged this economy so far into an intractable recession that any critical analysis of their low wage cubicle farm mentality is tantamount to a

Re:

[bender647]

This is my problem in general with a lot of what we call software "engineering". It isn't engineering. When the price of fixing a problem is just recompiling, as opposed to having a building fall down, it seems nothing is planned well or constructed right the first time.

Re:

[khellendros1984]

The price of a customer encountering a serious bug can be the loss of that customer to a competitor, schedules for new development slipping to make time to fix the bug, lawsuits over loss of customer data, etc. The rule of thumb that we use is that a bug found by QA might cost 10x as much as if the developer didn't produce buggy code (due to delays in testing, the developer having to diagnose the problem, abandoning their current work to re-immerse themselves in the buggy section of code, etc). A bug found

Re:

[SQLGuru]

But a bounty gets multiple people to fill the role of the single hired expert. There is also nothing that precludes the bounty participant from holding another job (potentially as an expert for a company that DOES pay a living wage) and participating in the bounty program. Even if FB does hire experts, having the bounty program allows you to tap the knowledge of far more experts......and we've already seen that even the best can't foresee every possible avenue of attack. The hive mind is smarter than a s

prizes were an integral part of American history

[schlachter]

No, you're wrong, bounties and prizes were an integral part of American history.

https://challenge.gov/p/about [challenge.gov]

http://www.slideshare.net/crai... [slideshare.net]

Re:the empire state building

[DocSavage64109]

I'm pretty sure I've seen pictures of the builders of the empire state building sitting on some I-beam with no safety gear [google.com] or even a rope to hold on to. I somehow doubt construction employers cared more about their employees then than they do today.

Re:

[necro81]

instead of hiring more security engineers and challenging developers to write safer stronger code, Facebook has decided to award scraps of cash to talented people who find flaws in their code that could conceivably end their business

I'm not going to debate whether Facebook, et al., exploits its employees - it's a different discussion for another day. I will point out that, even if Facebook tripled its security staff, and tripled the salary and benefits of that staff, vulnerabilities and bugs large and sm

Re:

[Salgat]

Bounties are important because you distribute risk substantially. Instead of relying on your employees to catch every single bug (which is near impossible to be perfect), you make the entire world a potential employee with a reward for anyone who comes across the flaw.

Re:

[RightSaidFred99]

God, shut the fuck up. Next time you go on a meandering, bewildering rant like that try to at least make some sort of valid point, you idiot.

Props to this guy

[thedillybar]

Nice to associate the term "hacker" with "honest" once in a while

Nice

[mahmudl4480]

nice!!

Re:

[sudden.zero]

I'm with you; down with Facebook! I never see my family any more, but their entire lives are broadcast on Facebook.

Re:

[Anonymous Coward]

This coming from someone who has their G+ linked to Slashdot.

/etc/password or /etc/shadow?

[Nimey]

All /etc/password contains on a properly configured modern system is userid, login name, login shell, and home directory. /etc/shadow is where the hashed passwords are stored, readable only by privileged accounts.

About all /etc/passwd gains an attacker is a list of good login names.

/etc/password, not /etc/shadow!

[Anonymous Coward]

It's a demonstration of file system traversal vulnerability. Most likely the application is run as under an unprivileged user account which surely does not have access rights to read /etc/shadow, however it has access to own configuration files that may reveal much more information than the hashes of passwords of root. And if Facebook admins have some clue then their own user accounts are not even in the system but on a central authentication server along with the passwords. Anyway, content of /etc/password is more than enough for the demonstration.

Re:/etc/password, not /etc/shadow!

[Nimey]

And, let's be honest, /etc/password sounds scary, and is probably the most attention-getting thing this guy could have said to the average person.

Re:

[L4t3r4lu5]

... the most attention-getting thing this guy could have said to Facebook's PHB in charge of Bounty Payouts.

Re:

[Martin Blank]

Code execution in an unprivileged account is one small step away from executing exploit code to get root, and then you've got just about everything.

Re:

[gnu-sucks]

A good list of usernames is sometimes all you need.

I purchased a server from Goodwill once, and it just so happened that it had an intact hard disk. The server was running some version of Solaris, and was part of a database for a large fortune 500 company that you have probably heard of. As an interesting "exercise", I decided to put it on my network and hack into it.

The box had a very bad telnet daemon, and using the simplest of exploits imaginable, I was able to return the contents of arbitrary files and

XML Injection not remote code exec

[Anonymous Coward]

That is XML injection not remote code execution.

You send XML with an include this file and the XML parser reads the chosen file.

Slashdot is of poor taste/gone to the trolls

[228e2]

A white hat does exactly what he is supposed to do (allegedly) and a company takes the proper route and doesnt sue him into oblivion, takes the proper steps to make a timely fix and gives him a reward. And yet everyone here swings and misses on the topic.

Congrats. This place is the officially one rung above 4chan.

Re:

[RightSaidFred99]

What's wrong with you greedy fucks? $33.5k is chump change to you? You must all be 1%ers.