21 comments

[ 2.9 ms ] story [ 60.9 ms ] thread
Nice. Although I'm still on the fence about bug bounties at their current price, as I can't help but see this as potentially manipulative, like hackathons where a company owns what you make, this guided hacking seems to be taking advantage of people's passions in order to underpay them for work.

But, I can't really say it's underpaid, as I have no idea what the black market for exploits is like, so maybe they are fairly paid.

>where a company owns what you make

To be fair, Facebook owns those vulnerabilities since they wrote the code :)

>in order to underpay them for work.

You already know the bounties you would receive, if you think they are not fair, just don't look for vulnerabilities.

> Facebook owns those vulnerabilities since they wrote the code :)

However, vulnerabilities are worthless. It's the exploit that has value, and you wrote the code for that.

>> But, I can't really say it's underpaid, as I have no idea what the black market for exploits is like, so maybe they are fairly paid.

There is no black market for isolated vulnerabilities in a single website.

https://news.ycombinator.com/item?id=11249173

That's not exactly true.

Plenty of profit to be made from hijacking facebook accounts, traffic, etc.

I find this difficult to believe. The demand for a vulnerability is directly proportional to its half-life. Facebook accounts are not like desktop computers that can be harvested for a botnet.

I could see a e.g. XSS worm being useful for spreading an advertisement from status to status, but there are two issues with that hypothesis: 1) Facebook is centralized, so the flaw would have maybe 24 - 48 hours of utility and 2) it's not even necessary to use a vulnerability to spread bullshit on Facebook newsfeeds, so why pay for it?

The alternative claim is that someone would pay a lot of money for a security vulnerability compromising a high value account belonging to a celebrity, journalist, politician, etc. I still find this difficult to believe, because there doesn't appear to be a historical precedent for it. Most such attacks focus on brute-forcing a password or other authentication mechanism.

>I could see a e.g. XSS worm being useful for spreading an advertisement from status to status, but there are two issues with that hypothesis: 1) Facebook is centralized, so the flaw would have maybe 24 - 48 hours of utility and 2) it's not even necessary to use a vulnerability to spread bullshit on Facebook newsfeeds, so why pay for it?

Someone paid 100k to put an exploit pack on redtube for a couple of hours, I'm sure they'd pay much more for a XSS worm allowing them to do the same on facebook. The average value per install in western countries with cryptolockers and FakeAV is really high.

>The alternative claim is that someone would pay a lot of money for a security vulnerability compromising a high value account belonging to a celebrity, journalist, politician, etc. I still find this difficult to believe, because there doesn't appear to be a historical precedent for it. Most such attacks focus on brute-forcing a password or other authentication mechanism.

I don't know, I used to regularly get requests from entertainment industry businesses asking me to compromise competitors facebook accounts for obscene amounts of money. Same goes for jealous ex boyfriends, even though the sums offered by them only tended to be a couple of grand.

While certainly true for a plenty of other sites, the claim that there's no market for FB bugs simply has zero basis in reality.

You're actually in the industry, as I am, so I'm willing to suspend more disbelief to verify what you're saying. You probably wouldn't be willing to show evidence of these claims here on HN, but would you be willing to do so privately? That might actually be sufficient to change my stance on Facebook vulnerability value.
Facebook accounts are quite valuable.

Off the top of my head:

* Spam/advertising using multiple accounts, groups, and pages.

* Spreading malware via Messenger, pages, and groups.

* Selling page likes and video views.

* Email harvesting and private personal information gathering.

* Grabbing photos from private albums.

What you're describing sounds credible, but the problem I have with accepting it is that I have seen absolutely no evidence in the wild that there is actually a market for this. It is counter to the entire methodology of pricing vulnerabilities.

You don't need a vulnerability to spread spam on Facebook, so that's out. Page likes and video views can be done with botnets. Spreading malware doesn't make sense - it would be far superior to buy a vulnerability allowing direct desktop access, not one that will be patched quickly.

The other examples require me to believe that companies which would be interested in photos or email addresses are the same ones willing to pay four or five figures for a one-time use vulnerability. This is an extraordinary claim. There is no real-world Venn diagram of companies interested in harvesting emails or photos and companies willing to pay for Facebook vulnerabilities. Those companies are either TMZ or the NSA. You're asking me to believe that TMZ is willing to purchase security vulnerabilities and competently use them, or that the NSA is willing to purchase Facebook vulnerabilities for one-time use (if anything, I'd believe in them developing them in-house).

What actually happens is vulnerabilities in iOS, PHP, WordPress, OpenSSH, etc. are use for wide-reaching effect, not for a single website.

> You don't need a vulnerability to spread spam on Facebook, so that's out. Page likes and video views can be done with botnets. Spreading malware doesn't make sense - it would be far superior to buy a vulnerability allowing direct desktop access, not one that will be patched quickly.

But using compromised accounts that belong to real people with a believable history is more effective for spamming. Of course you'll need botnets, but if the accounts look fake, rarely anyone will follow what you're saying. This is less of a big deal for page likes and views, but it can still be helpful as it will make your page's likes look more legitimate.

Using the accounts and pages of influential people (100k likes or so) to spread malware and advertise is a whole different beast than using some account without a profile pic to do the same.

Regarding personal information, yes I agree, it's definitely more limited in usefulness and not something worth $10k.

But for the rest I've mentioned, I'd argue that a large malware spreading service (yes, these exist) would find an exploit of such nature quite valuable.

So I assume they won't give a bounty, if somebody finds a bug like the possibility of calling their testing tool trough a chat message?
He forgot to mention m.facebook.com . There have been many issues over the years with the mobile site that didn't exist on the main site. Examples:

1) You could invite anyone to a Facebook event via their Facebook ID by simply doing an HTTP post of Facebook ID's to the event invitation script on this domain, but not on the main site. For some reason, on the mobile site they didn't implement the check to see if you were actually friends with the invitee. Since FB sends an email to each invitee, this was an enormous spamming loophole for quite a while.

2) For a long time, there was no frame-breaking script on m.facebook.com. You could clickjack essentially anything on Facebook this way. Years ago I did a proof-of-concept on this where I clickjacked a platform app authorization, which let me receive the name, email, and other profile info of any user that did nothing more than click the X button on an annoying overlay I put on the screen.

I always was sketched out by those "X"'s on any advertisement.
> 2) For a long time, there was no frame-breaking script on m.facebook.com. You could clickjack essentially anything on Facebook this way. Years ago I did a proof-of-concept on this where I clickjacked a platform app authorization, which let me receive the name, email, and other profile info of any user that did nothing more than click the X button on an annoying overlay I put on the screen.

Do you still have a copy of this? I'd like to see it

Today it wouldn't work because they now have frame-breaking on m.Facebook.com. But if you'd like to see the general template you can email me at the email in my HN profile.

Basically, you position the iframe element over something that will be clicked (such as an advertisement X button), set its z-index so that it is the topmost element, and set its opacity to 0. You can even test to see when the click has occurred by testing for when a certain element on your page has lost the focus.

> Today it wouldn't work because they now have frame-breaking

Yeah. I just want to see what the original vulnerability looked like.

I bug hunt.

Thanks for the offer to email you, but, I'm transitioning away from E-Mail for security reasons.

"Facebook’s internal network where employees turn those gears so you can scroll past that “10 Things You Love About Potatoes” BuzzFeed article one more time."