28 comments

[ 4.3 ms ] story [ 75.6 ms ] thread
Congrats! Nice bounty ($9K) for a relatively unsophisticated hack. Getting into infosec is becoming more enticing.
There are many regressions too, so you can get inspiration from old bounties with knowledge of hacks and reapply them to many platforms
That seems underpaid IMO, since the vulnerability is worth Way More than $9k to other parties.
being Good is not cheap; you inherently limit yourself a very small market.

The Others don’t matter to determine the value here; there is only one person to sell to.

Paying out at a rate competitive with malicious actors makes it a market and would incentivise bounty hunting. It would be a perverse incentive.

It's not intended as a source of primary income, it's an incentive to report vulnerabilities when you find them. It's the tech industry equivalent of getting a box of beers for helping out.

Hard to ignore that the “person” buying the beers in this case is one of the wealthiest and dystopian corporations on the planet. In some twisted sense, I have to ask if it might be more ethical, at least in the sense of serving humanity, to leak this to someone malicious and capable of causing damage to FB’s brand.
I think your comment won't get the appreciation it deserves, but here some thoughts.

Any attempt to hurt the system will ultimately make the system stronger[1]. If you attack FB or bug bounties by leaking vulns it will hurt users only.

Responsible disclosure is a farce where people volunteer to help large corporations augment their Q&A processes in most cases without pay. The only winners (except organizations) are the bug-bounty market places which help rig the game and extract what should be done by somebody on a permanent salary and 401. But in a society that normalizes having no health insurance and instead considers it normal for cancer treatment to start a gofundme, there is little surprise that "jobs" exist where you only get paid if you produce a result. It is capitalism functioning as intended.

The tragedy is that the asymmetry of number of people unwilling to do responsible disclosure (SandboxEscaper[2], Janit0r[3], etc) and those others who can afford to invest a year of their time without salary is too big. With every good person that "rips these companies a new one", there will be more pressure on the company to "improve security", which leads to higher bug-bounty payouts but also more people entering the market and competition among the masses to fight for the prize. The only way this is fair is if there is a UBI (and also then only if the it is truly universal or the bounties are limited to locations where people are covered by UBI)

The bug bounties are often defended by people who had success in it and went on to make a name for themselves in infosec. Because why wouldn't they defend a system that seemed to have worked for them?

But it's not like these companies couldn't afford to pay proper wages for those people who tried but failed as well. The argument that it gives you the required experience with some beer-money to become a better hacker, or that it is so much fun is a strawman. Because those few that are getting paid for their "hobby" doesn't count since it ignores those that compete HungerGames style because they don't know where else to go with their silly degree stuck in a country where nobody wants to hire them (regardless of WFH & remote-only).

The solution imho is regulation and legislation of these firms. Force them to pay their taxes, to store data locally so it never leaves a jurisdiction, outlaw targeted advertising, use criminal law for CEO's who bust unions, etc etc. How they do this is their problem really. On a technical side they could use SCION protocol to ensure no packet ever leaves a block of countries that are legally aligned with these rules. Or they can use their much beloved AI that they speak constantly about when dragged in front of congress. It doesn't matter what route people take as long as we start holding them accountable.

Finally create enough awareness in society that if these cases continue to exist, then a manager from such a company will be unable to travel to your country, or that somebody working at X will not be celebrated as "probably a genius" in society but the "useful idiots" that they are. Also people who work for a (legal) secret tax jurisdiction that have dirt on these companies or their employees they can be a real hero by breaking that country's law and leak info about the international financial crimes committed by these firms. But that takes more guts than dropping vulns or simply "deleting fartbook".

These measures would address the problem at its root, hurt the company and its shareholders financially, while even creating jobs in these places and who knows lift a few people out of poverty.

[1] "The Technological Society" by Jacques Ellul: https://archive.org/details/JacquesEllulTheTechnologicalSoci...

[2]

"Paying out at a rate competitive with malicious actors makes it a market and would incentivise bounty hunting. It would be a perverse incentive"

I don't get this. What's wrong with incentevizing bounty hunting? Isn't the whole point of bounties to provide an incentive to the public to find & report bugs?

Personally, if I found a bug that had a market, it's going to the highest (legal) bidder. Be it Mossad, Facebook or Mr. Bone Saw's personal security team. Bug hunting is a professional service not a humanitarian one.

Once, a large city had a rat problem. The pests were everywhere, and none of the usual measures seemed to eradicate them. So the mayor posted a bounty on rats. For every dead rat turned in, the city would pay $5.

This strategy (although certainly better-intentioned) failed for the same reason your proposal would fail.

I’m not sure I get what you mean - I assume you are referencing the fictional tale of the pied piper of hamlet where the pied piper cleared the hamlet of rats by playing a pipe and leading them to a river, but then the mayor refused to pay because he incorrectly claimed the pied piper brought the rats in from another town, so then in retaliation the pied piper kidnapped all the children and they are never seen again?

What’s the similarity here? I’m not entirely sure a fairy tale disproves OPs argument, particularly when the circumstances are so different (you can’t bring in bugs from another app, facebook has a history of paying up and the bounty fees are tiny for them).

Probably suggesting people would start rat farms. Paying large bounties for bugs incentivises developers to introduce bugs for their “friends” to find.

To some extent this dynamic must already exist, which is a troubling thought.

The analogy makes no sense considering there's no way for people to create bugs (unless they're within Facebook, hah) to farm bounties for.
That seems to be the implication, but that seems pretty unlikely because of the risk. If the bounty were, say, 100k, is anyone going to risk a 200k salary over letting a friend of theirs get that bounty? And if you try pulling that off more than once, that's just begging to be caught.
(comment deleted)
> To some extent this dynamic must already exist, which is a troubling thought.

I've not seen any evidence for this behaviour existing, even with Microsoft Bug Bounties of up to $250,000, or even heard of developers being tempted to introduce bugs for friends to find them.

I assume the bigger risk is developers intentionally introduce bugs for nefarious purposes (i.e. black market sale), rather than to win a bug bounty.

It's not too late. Some of the most talented infosec people I've worked with came from other areas of information technology or software development. Who better to find the flaws than those who are familiar with how systems work or understand how the code may be written?
Just noticed this account is anything but throwaway. With >3000 Karma in a year, throwaway888abc is quite the prolific poster!
Can you please elaborate on what this has to do with the topic at-hand?
This is the basic vulnerability from the large cell phone db scrape that was released? contact to FB matching. Seems pretty bad not to check the problem doesn't still exist elsewhere...

I wonder if OP tried bulk requests see if there is any request limit or other throttling checks at least.

Is it me or does that look extremely easy to reproduce. Easiest $9K in bug bounties I have seen. Must have been more to discovering it than just observing traffic and composing HTTP.
A bugs value is due to its impact, not how hard it is to reproduce. And there may have been a lot of initial research involved, who knows. Still, the money isn't paid for time spent.
Does it work on females too?
I went back and read the content again because of your comment. What a waste of time.

> Identify a Facebook user by *his* phone number despite privacy settings set

Stop being so obtuse about exculpatory mistakes; I am not suggesting HN comments should be humourless, but this is not Reddit.

No one can tell if you're genuinely offended (by grammar or societal gender-terms) by or just a smart arse, your sarcastic tone implies the latter.

I'm not "offended" as such, I just think casual sexism should always be called out (although in fairness, it's an excusable mistake for a non-native speaker, albeit one that still bears pointing out). And yeah, I used sarcasm to do it, because it's more fun; sue me.

I don't think "exculpatory" means what you think it means.

Casual sexism this isn't. Plenty of people switch between he and she as defaults.
I can't find my Chinese buddy in china this way. Weird.