lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 30 Oct 2011 08:33:12 +1100
From: xD 0x41 <secn3t@...il.com>
To: Nathan Power <np@...uritypentest.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Facebook Attach EXE Vulnerability

Bounty, another nice way to say *screw you but here anyhow...*
I am shocked they offer so little ($500 usd for remote-code injection) ,
one remote code injection bug for FB in a security environment wich is
not white, and may sell the bug for upto more than 5000, because if a
RCE or other was there, something wich was 'seadable' or wormable,
then theyre bounty should be far higher, because that doesnt even
match up to what many 0days would sell for.
If someone had a rce for this and were to worm it, now thats a million
dollar botnet... that would be for those who could make from it
something and there is no shortage of spammers all to happy to take
control of 2million or more pcs...
Thats just one scenarion, in wich they could loose somuch data and
info, and in exchange offer 500bux.
What a slap in the face, FB should be ashamed of that price and bump
it up atleast for more serious stuff.
EXE attachment would be medium to high risk, they would be able to now
patch it, after first they did not acknowledge, but also did not have
the bounty also... only recently they have added this, with what, a
crappy 500 bux, multi million dollar enterprises, wich are saved by
these disclosures, and they are paying pittance.
SHAME ON YOU FACEBOOK.COM , Shame...

Welcome to the Shame-Files FB, your a disgrace to the good people who
are helping you.
Nice bug, and, atleast you worked with them to reproduce, you realise
they would have gave you 0 $ if they had repoduced this, so again,
shame on them for only acknowledging this when they failed at
repruction.
Theat 'bounty' page screams to me of the actual owners writing, and, I
bet he even probably hand wrote that, because he is a TIGHT FTSTED
pr**k , someone should put a /blackhat/ folder there, but then, its
not worth the time :) (no bug payout rofl...)
Notice also, D0S is not part of this, well then this would be funny if
one were to find a 0dayer in FB (ala apache d0s byterange style) ,
well dont bother disclosing it , just run it on a loop from theyre own
pages, afterall, whats the use to disclose such a shitty thing (yes
this is true it is shitty but, is all cases same...)
So summary is, Remote code injection or other, will get ya 500$ ,but,
if you goto an UG blackhat site, you might get 5k and up :P
xheers and again, thanks for being a good person and helping the
citizens of FB, really tho, you have, probably saved me even, 20
removals from my sisters PC :P
So, yes, I thank you and FD surely would thank you but, FB dont give a damn :P
If they have anyone on this list who is also in theyre secteam well,
you really have a 'suck-ass' bounty, wich should be looked over,
because seriously, what worth would be it to give you anything, when
it is directly cheaper from wqebsites to buy it, and not have any
disclosure atall.
I guess this is something YOU need to ponder, not me, and im glad for
that, and Im glad again, i dont use the shitty service, and never
will.
Enjoy, have a great day!



On 30 October 2011 05:12, Nathan Power <np@...uritypentest.com> wrote:
> That was the original program I was participating in.  Facebook has agreed
> to pay me a bounty for this bug.
>
> Nathan Power
> www.securitypentest.com
>
> On Fri, Oct 28, 2011 at 7:17 PM, Ulises2k <ulises2k@...il.com> wrote:
>>
>> You know this?  ;)
>> https://www.facebook.com/whitehat/bounty/
>>
>>
>>
>> On Fri, Oct 28, 2011 at 17:49, Nathan Power <np@...uritypentest.com>
>> wrote:
>> >
>> > I would also like to note this vulnerability was reported responsibly in
>> > regards to full disclosure.
>> > http://en.wikipedia.org/wiki/Full_disclosure
>> >
>> > Nathan Power
>> > www.securitypentest.com
>> > On Fri, Oct 28, 2011 at 1:38 PM, Nathan Power <np@...uritypentest.com>
>> > wrote:
>> >>
>> >> I was basically told that Facebook didn't see it as an issue and I was
>> >> puzzled by that. Ends up the Facebook security team had issues reproducing
>> >> my work and that's why they initially disgarded it. After publishing, the
>> >> Facebook security team re-examined the issue and by working with me they
>> >> seem to have been able to reproduce the bug.
>> >>
>> >> Nathan Power
>> >> www.securitypentest.com
>> >>
>> >>
>> >> On Fri, Oct 28, 2011 at 11:18 AM, Pablo Ximenes <pablo@...en.es> wrote:
>> >>>
>> >>> Not fixed yet. At least not yesterday when I checked.
>> >>> Nathan, didn't Facebook ask for some time to fix this bug after they
>> >>> have acknowledged it?
>> >>>
>> >>> Pablo Ximenes
>> >>> http://ximen.es/
>> >>> http://twitter.com/pabloximenes
>> >>> Em 27/10/2011, às 19:29, Joshua Thomas <rappercrazzy@...il.com>
>> >>> escreveu:
>> >>>
>> >>> can't believe such was on FB  .... wahahaha !!! lol ....rofl ...
>> >>>
>> >>> When was this discovered and fixed ?
>> >>>
>> >>>
>> >>> On Thu, Oct 27, 2011 at 1:02 AM, Nathan Power <np@...uritypentest.com>
>> >>> wrote:
>> >>>>
>> >>>>
>> >>>> ---------------------------------------------------------------------------------
>> >>>> 1. Summary:
>> >>>> When using the Facebook 'Messages' tab, there is a feature to attach
>> >>>> a file.
>> >>>> Using this feature normally, the site won't allow a user to attach an
>> >>>> executable file.
>> >>>> A bug was discovered to subvert this security mechanisms. Note, you
>> >>>> do NOT have
>> >>>> to be friends with the user to send them a message with an
>> >>>> attachment.
>> >>>>
>> >>>> ---------------------------------------------------------------------------------
>> >>>> Read the rest of this advisory here:
>> >>>>
>> >>>> http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html
>> >>>>
>> >>>> Enjoy :)
>> >>>>
>> >>>> Nathan Power
>> >>>> www.securitypentest.com
>> >>>> _______________________________________________
>> >>>> Full-Disclosure - We believe in it.
>> >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >>>> Hosted and sponsored by Secunia - http://secunia.com/
>> >>>
>> >>> _______________________________________________
>> >>> Full-Disclosure - We believe in it.
>> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >>> Hosted and sponsored by Secunia - http://secunia.com/
>> >
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ