[Laxman] was poking around Facebook looking for security vulnerabilities. Facebook runs a bug bounty program which means if you can find a vulnerability that’s serious enough, it can earn you cold hard cash. It didn’t take much for [Laxman] to find one worthy of a bounty.
The graph API is the primary way for Facebook apps to read and write to the Facebook social graph. Many apps use this API, but there are limitations to what it can do. For example, the API is unable to delete users’ photo albums. At least, it’s not supposed to be able too. [Laxman] decided to test this claim himself.
He started by sending a command to delete one of his own albums using a graph explorer access token. His request was denied. The application didn’t have the correct permissions to be able to perform that action. It seemed that Facebook was correct and the API was unable to delete photos. [Laxman] had another trick up his sleeve, though. He noticed that the wording of the response suggested that other apps would have the ability to delete the albums, so he decided to check the Facebook mobile application.
He decided to send the same request with a different token. This time he used a token from the Facebook for Mobile application. This actually worked, and resulted in his photo album being deleted. To take things a step further, [Laxman] sent the same requests, but changed the user’s ID to a victim account he had set up. The request was accepted and processed without a problem. This meant that [Laxman] could effectively delete photo albums from any other user without that user’s consent. The vulnerability did require that [Laxman] had permission to view the album in the first place.
Since [Laxman] is one of the good guys, he sent this bug in to the Facebook team. It took them less than a day to fix the issue and they rewarded [Laxman] $12,500 for his trouble. It’s always nice to be appreciated. The video below shows [Laxman] walking through how he pulled off this hack using Burp Suite.
Guess I should go for bug hunting. Even after taxes, this is a nice amount of money. Kudos to Laxman for being a white-hat.
Damn, $12,500!
That is a nice used car!
Nevermind a car, that’s a down payment for a cheap house! (Depending where you live.) Or in my case, a clean credit line. >.>
Holy, your obviously not from Western Canada, my dream of owning a home is officially dead..
But they’re making some really nice tents these days…
Where I live that’s a down payment for the privilege of admiring a cheap house for no more than 5 minutes. From the comfort of your own car. Parked across the street.
(c:
I really need to learn how to find bugs and security vulnerabilities in larger company’s systems…
Wouldn’t bother. This bloke found a bug, Facebook said it wasn’t a bug even after he tried to show them. So he put a post on Zuckerbergs wall to prove it and then they wouldn’t pay out because he hacked…
http://gizmodo.com/a-guy-hacked-zucks-wall-after-facebook-ignored-his-bug-1163729527
IIRC, he wasn’t paid because he didn’t follow their responsible disclosure policy.
I think hacking Zuckerbergs page does break that policy, but when he reported it through the proper procedures the Facebook engineers didn’t listen. Perhaps he should’ve tried to pursue that avenue more though.
No kidding. It’s not the hacking that’s the issue, it’s the nature of the hacking. Setting up a dummy account and proving it by making a post on the dummy account’s wall would have been just fine, just as it was fine for [Laxman] to set up a dummy account and delete an album off of it in order to test the bug he was reporting. Demonstrating the bug by making a post on Zuckerberg’s wall just reeks of your stereotypical arrogant, self-important programmer, of which there are far too many in the world.
And even good-guys are suckers for a golden arrow:
http://img2.wikia.nocookie.net/__cb20130315050152/disney/images/1/18/2c3b92c008a0de1f8e09b010.L.jpg
I found a bug on pizza chain site and got a $20 gift card…
I feel good, and it fed my family.
…Although 12.5k sounds much better ;)
In my case, getting a free pizza would be more than enough – though this is probably because I know that my skills wouldn’t get me anything whatsoever-.
Just think of how many pizzas one could buy with that…
You could buy four pizza’s here in Australia.
Global cuties 🙃