Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Facebook Attach EXE Vulnerability
From: Ferenc Kovacs <tyra3l () gmail com>
Date: Tue, 1 Nov 2011 14:00:42 +0100

nice speculation, but imo it would make them look more bad, if they turn
down the reports, because it will come back to them (either via the
publication like in this case, or just simply someone exploiting it).
so while I don't have personal experience working with the facebook
security team, but at least they have a dedicated channel for reporting
security related bugs and even a bounty program.
thats more than the 99% of the sites/companies offer.
btw: someone mentioned that 500 bucks isn't worth the efforts, but imo the
same people would tell the same about $1000, or $5000 even.


On Tue, Nov 1, 2011 at 1:54 AM, mutiny <mutiny () kevinbeardsucks com> wrote:

The main thing is that the security division at facebook probably runs
the bug hunting page (as with everywhere else, which does make a decent
bit of sense).  And, if you spot bugs before they do, then that looks
bad on them (internally at the company and externally to the world).
So, it is not in their interest to openly acknowledge your bugs,
especially by paying you cash money (not to mention, accounting is going
to hate them if they see bucks leaving the company for any reason,
instead of coming in).  Not to forget, it is in their interest to
downplay your bug to the rest of the company and the world (for those
same reasons).

If you're doing research /for your own interest/, I recommend
maintaining full-disclosure.  Embrace the bazaar and burn down the
cathedral.

If you're interested in making money, the smart route is through script
kiddies or whoever (but realize, you'll probably need to go ahead and
write a reliable exploit, to see any real cash).  Script kiddies (and
agents of various governments) often have tons of money to throw around
to either bolster their own image (and eventually get arrested) or make
money from your bug (especially if you're providing a reliable
exploit).  Not to mention, the actual damage that will be caused by the
majority of these "black hats" is nothing compared to what those
companies are going to have done, before they eventually crash.

You could also monetize your security research by taking an
administration, research or QA position.  But, too often, you're only
ensuring that you'll never be interested in any of the work that crosses
your desk, ever again.

You'll laugh, if you ever end up taking a "real job" doing security
research, when you see heads getting butted between research teams and
QA teams.  Most security companies, for example, do not look at their
own products (imagine at HP, QA teams for various products would be
screaming their heads off at Tipping Point, if they went bug hunting in
HP products - often when it's publicly disclosed, those research teams
will *still* stay away from it, so the QA teams can tackle it and avoid
the headache).

It often feels like the first person to market a firewall/IDS/IPS/etc..
pulled off the greatest exploitation, of a security vulnerability (and
the most common/reliable vulnerability, social engineering), of all time.

In short, what your father didn't tell you is: If you're trying to make
money, by doing *independent* security research, *shop around* for a
buyer.  (Describe the impact to the buyer, to receive a bid, before
releasing anything beyond generic details.  If they do not make a
serious bid, take your ball and go home.  If you have the right friends,
or enough spare money, involve a lawyer.)

And, most importantly, forget what any of these cunts try to tell you
about morals or ethics.  They're only pushing their point-of-view on
you.  It's best to, at least, consider all of the view points and make a
decision on what works for you/matters to you/etc...  None of these
people, including myself, can tell you what is morally or ethically
wrong.  And, don't let them heap shame on you, ever.

Releasing a remote root/system vulnerability (even if you include a
reliable exploit) to full-disclosure, conspiring with a
company/individual to keep secrets for X amount of time and selling an
exploit to an anonymous bidder should add no more weight to your
shoulders than you already carry.  Just be sure that *you* are happy
with your decision.

 - sedition

On 10/31/2011 6:11 PM, xD 0x41 wrote:
Oh hey, 3k is great!
I saw that they just made it look abit cheap... no wrath but, it is
still a MULTI billion now, dollar company, so they shoukld be trying
to make SURE they can out bi ANY underground payers.. thats all i had
to question.
thanks for clearing it up, but sure, if theyre paying better now thats
cool, i should have said to, it is atleast a step in the right
direction :s  Still, they ARE*** a mutil frigging million dollar
company lol, so why wouldnt they give say, 1k minimum and make sure
they get people more than interested but even fuzzing for bugs wich
could potentially be in use already... this is something theyre not
covering atall really with 500bux.
It is tho, a start...
cheers for clearing up theyre rce payout, wow, so they maybe read
googles hall of fame and did it in accordance ? Maybe im wrong but....
this company, is not really the same thing as a google, and i guess a
bug on this site, would be actually worth 5million pcs to anyone
buying it... im just saying for them being so rish, they could do
better, and definately, the comapnies who offer nothing, should get
nothing back, simple, thats why blackhats sometimes are blackhats,
they got rooted around tryin to help some pig headed company who makes
millions yet will screw you around so badly, you do realise they tried
to reproduce the bug YOU made even, in order to _NOT_ pay you shit.
remeber that.
But then again, your in theyre pocket now, and really CANT do shit now
but say yes sir no sir two bags half fkn full sir.
am i rite.
cheers tho.
FB still sux hairy ones.



On 31 October 2011 16:44, Chris Evans<scarybeasts () gmail com>  wrote:
On Sat, Oct 29, 2011 at 2:33 PM, xD 0x41<secn3t () gmail com>  wrote:
Bounty, another nice way to say *screw you but here anyhow...*
I am shocked they offer so little ($500 usd for remote-code injection)
,
Actually, it's $500 _or more_. I've lost the reference, but I think
they paid about $3000 for one case. Perhaps an RCE? Anyway, your
assumption is off.

one remote code injection bug for FB in a security environment wich is
not white, and may sell the bug for upto more than 5000,
You can't compare whitehat vs. blackhat programs. In the latter, you
cross moral and legal lines. Most people aren't willing to be such a
dick.

Perhaps you should reserve your wrath for companies that offer
$fuckall for good bugs? :)


Cheers
Chris

because if a
RCE or other was there, something wich was 'seadable' or wormable,
then theyre bounty should be far higher, because that doesnt even
match up to what many 0days would sell for.
If someone had a rce for this and were to worm it, now thats a million
dollar botnet... that would be for those who could make from it
something and there is no shortage of spammers all to happy to take
control of 2million or more pcs...
Thats just one scenarion, in wich they could loose somuch data and
info, and in exchange offer 500bux.
What a slap in the face, FB should be ashamed of that price and bump
it up atleast for more serious stuff.
EXE attachment would be medium to high risk, they would be able to now
patch it, after first they did not acknowledge, but also did not have
the bounty also... only recently they have added this, with what, a
crappy 500 bux, multi million dollar enterprises, wich are saved by
these disclosures, and they are paying pittance.
SHAME ON YOU FACEBOOK.COM , Shame...

Welcome to the Shame-Files FB, your a disgrace to the good people who
are helping you.
Nice bug, and, atleast you worked with them to reproduce, you realise
they would have gave you 0 $ if they had repoduced this, so again,
shame on them for only acknowledging this when they failed at
repruction.
Theat 'bounty' page screams to me of the actual owners writing, and, I
bet he even probably hand wrote that, because he is a TIGHT FTSTED
pr**k , someone should put a /blackhat/ folder there, but then, its
not worth the time :) (no bug payout rofl...)
Notice also, D0S is not part of this, well then this would be funny if
one were to find a 0dayer in FB (ala apache d0s byterange style) ,
well dont bother disclosing it , just run it on a loop from theyre own
pages, afterall, whats the use to disclose such a shitty thing (yes
this is true it is shitty but, is all cases same...)
So summary is, Remote code injection or other, will get ya 500$ ,but,
if you goto an UG blackhat site, you might get 5k and up :P
xheers and again, thanks for being a good person and helping the
citizens of FB, really tho, you have, probably saved me even, 20
removals from my sisters PC :P
So, yes, I thank you and FD surely would thank you but, FB dont give a
damn :P
If they have anyone on this list who is also in theyre secteam well,
you really have a 'suck-ass' bounty, wich should be looked over,
because seriously, what worth would be it to give you anything, when
it is directly cheaper from wqebsites to buy it, and not have any
disclosure atall.
I guess this is something YOU need to ponder, not me, and im glad for
that, and Im glad again, i dont use the shitty service, and never
will.
Enjoy, have a great day!



On 30 October 2011 05:12, Nathan Power<np () securitypentest com>  wrote:
That was the original program I was participating in.  Facebook has
agreed
to pay me a bounty for this bug.

Nathan Power
www.securitypentest.com

On Fri, Oct 28, 2011 at 7:17 PM, Ulises2k<ulises2k () gmail com>  wrote:
You know this?  ;)
https://www.facebook.com/whitehat/bounty/



On Fri, Oct 28, 2011 at 17:49, Nathan Power<np () securitypentest com>
wrote:
I would also like to note this vulnerability was reported
responsibly in
regards to full disclosure.
http://en.wikipedia.org/wiki/Full_disclosure

Nathan Power
www.securitypentest.com
On Fri, Oct 28, 2011 at 1:38 PM, Nathan Power<
np () securitypentest com>
wrote:
I was basically told that Facebook didn't see it as an issue and I
was
puzzled by that. Ends up the Facebook security team had issues
reproducing
my work and that's why they initially disgarded it. After
publishing, the
Facebook security team re-examined the issue and by working with
me they
seem to have been able to reproduce the bug.

Nathan Power
www.securitypentest.com


On Fri, Oct 28, 2011 at 11:18 AM, Pablo Ximenes<pablo () ximen es>
 wrote:
Not fixed yet. At least not yesterday when I checked.
Nathan, didn't Facebook ask for some time to fix this bug after
they
have acknowledged it?

Pablo Ximenes
http://ximen.es/
http://twitter.com/pabloximenes
Em 27/10/2011, às 19:29, Joshua Thomas<rappercrazzy () gmail com>
escreveu:

can't believe such was on FB  .... wahahaha !!! lol ....rofl ...

When was this discovered and fixed ?


On Thu, Oct 27, 2011 at 1:02 AM, Nathan Power<
np () securitypentest com>
wrote:


---------------------------------------------------------------------------------
1. Summary:
When using the Facebook 'Messages' tab, there is a feature to
attach
a file.
Using this feature normally, the site won't allow a user to
attach an
executable file.
A bug was discovered to subvert this security mechanisms. Note,
you
do NOT have
to be friends with the user to send them a message with an
attachment.


---------------------------------------------------------------------------------
Read the rest of this advisory here:


http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html

Enjoy :)

Nathan Power
www.securitypentest.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]