Frankly I think the amount being award by these companies is minuscule when you compare it to the amount of damage this information could have caused Facebook in the wrong hands.
During the fiasco that was the last white-hat hacker to report he'd hacked Facebook, I posted this:
> Bug bounties are supposed to represent a high probability payoff of a lesser amount of money for finding a bug. This is in comparison to going the black hat sales root, where probability of sale might be lower, but the payoff might be higher. I can imagine one or two state actors who might pay top dollar to have keys to the kingdom to a major social network. (https://news.ycombinator.com/item?id=10756159)
Expected payout = (Probability of reward * size of reward) +/- any additional value I put into who I'm selling it to.
If I have an exploit that gives me a lot of access to Facebook (or any other large company) I have to run that formula for each entity that might pay me for it- Facebook, the NSA, the Chinese Military, and so on down the list. Facebook is offering high probability for a lower payout. The NSA might step up their game and start offering ten times as much, or make it more clear that they will indeed pay you for it (not that I have any proof they'd do such a thing).
Make no mistake, Facebook has probably done this math very carefully when choosing a bounty.
In other words, if you wanted to game the odds, you'd start by offering it on the black market, then if there were no takers after X number of days, offer it to Facebook?
Like Dylan says, people will pay for web server software bugs, if the software is widely installed, because you can make money by building and grooming a fleet of compromised servers. There is a way to do it, and that way works.
There is not a good, reliable way to make money from Facebook account takeover. You can conceive of them speculatively, but that is not the same thing as knowing you can execute, or, better, already having a business process in place that is already executing, just waiting for a new bug.
Your comments make sense in the real world, where the big threat is "criminal enterprise looking to make an illicit buck".
I worry that people are too obsessed about the hypothetical specter of tremendously skilled and bored black-hats who will ruin lives for fun, rather than for a pay-off, e.g. ZF0.
> You'd have to have a real vendetta against someone to value ruining their life at $15k.
You're thinking about it wrong. There is no opportunity cost in their worldview, just lulz to be had at the expense of people they deem worthy of ruination.
(I never said the people that live in the intersection of trolls and blackhats are great at financial or career planning, after all.)
Or simply publishing it first and leveraging to opportunity for contract work. I'd really hope you're able to get a commitment from ZERODIUM before giving them the details.
From this article I get the impression that the bounty wasn't even known before hand. It doesn't seem like a very careful consideration from Facebook, and I would expect it to be "too low" if they're choosing the amount after someone has already disclosed the bug.
Another factor is that when you are buying on black market, you can't be sure whether you are buying real exploit or fake one. Exploit owner probably will request (irreversible) bitcoin payment, will communicate via anonymous channels and is unlikely to give out details about that exploit until he's got his money. So both sides have difficulty trusting each other. Probably solution is some trusted 3-rd party, but is there one in black market? It's hard to imagine, actually.
Even if you aren't able to receive some sort of sample proof of work (which is probably not the case with this exploit), you can still mitigate the risk by ensuring the seller has high status in the marketplace and/or is willing to use escrow (or preferably multi-sig) to ensure funds are only released upon receipt.
Not really - a Facebook attack can be proven without revealing the details. eg. The buyer could ask "give me a list of the friends of <non-public account>" or "make a fake posting with <this content> authored by <this user>".
Problem with that us the buyer could be FB Sec. Now they have a targeted account to watch and find the vuln. themselves. Better option is to find a random famous person and do the sane thing.
3-way signed keys with 2 min necessary for accessing the BTC wallet. If memory is not playing tricks on me, you can do that with BTC. You can make a client-> seller transaction if everything is normal, else the third party can arbiter the transaction.
I assume you're wondering about the black market? Traditionally, Russian and Eastern European carder forums. In the golden age of Western Union and Moneygram... More recently, dark web markets over TOR with multi-sig cryptocurrency escrow.
for exploits that don't target a single deployed instance there is a 'grey/white' market. off the top of my head: ZDI (more defence oriented. i think they distribute just signatures for intrusion detection), Zerodium (more offence oriented), Exodus Intel EIP (not really sure.. they distribute a feed)
I suspect most whitehat researchers would be happier to report this vulnerability and make a nice legal reward, then delve into a black hat market for selling a vulnerability. Seems pretty win-win in this case.
Unless your name is Kevin Mitnick. Then you set up a business and play middlemen in selling them to anybody who wants to pony up for it.
"When we have a client that wants a zero-day vulnerability for whatever reason, we don’t ask, and in fact they wouldn’t tell us,” Mitnick tells WIRED in an interview. “Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.”
Why wouldn't it be? Someone looks at a program that they bought and paid for, and sees that it has a mistake. They didn't write the software or put the mistake there. How can it be a crime for them to become aware of behavior in someone else's program?
Attacking others who use the software is an entirely different story of course.
I do security audits and agree completely. My biggest issue is that the researcher is working for free. If nothing is found you just burnt a few weeks, if something is found the payout is usually only a couple grand.
If people enjoy doing it, or it makes sense in their currency or situation, awesome. The payouts don't get me excited though.
That's the market though. People who think it's too cheap don't play the game, people who think it's good money do.
In my country, getting paid 15k dollars would mean more than a years worth of sallary of a big infosec company. So it makes complete sense to go in for bug bounties, even if it's "low" payout, or if you spend a lot of time to get one.
Like you said, that's our market, but when working on a global scale, you have to consider pretty much everyone.
This has been discussed many, many times on HN before. This bug would not cause Facebook much damage; in fact, Facebook and Google tend to overpay rewards for bugs for the purposes of goodwill and recruiting.
Let's examine the facts:
1. A Facebook vulnerability is dangerous to Facebook. A WordPress vulnerability is dangerous to a quarter of the internet. Facebook is not a high value target, relatively speaking.
2. A Facebook vulnerability will be patched once it is widely used. Facebook's security team is one of the strongest and most sophisticated of any company, and their processes would quickly catch this once it was used. The total impact of the bug would be negligible. You'd lose the ability to compromise accounts as soon as you tried to do it in any meaningful or lucrative way.
3. A vulnerability in Facebook might last a week before being patched, but a vulnerability in PHP will persist on the internet for years. No matter how many individual sites patch their servers, you'll still be able to pop a lonely server with social security numbers chugging along in a closet somewhere.
There really isn't much more to say about this. People claim bounties awarded by Facebook/Google/et al are undervalued every single time a bug bounty hits the front page of HN. Every single time, someone who is in the security industry patiently explains why it's not that valuable.
If someone tried to go to a blackhat group or go to the "black-market" (a shadowy, lucrative place that never seems to be very well-defined in these conversations), he would not even be able to find a seller, let alone one who would pay a lot.
What do you imagine someone would pay for this on the black-market? They'd need to profit from it. How much profit is worth their time?
Say they buy it for $20,000. Do you really think someone will derive $20,000 of profit from this before it's caught and patched by Facebook?
The only vulnerability worth $15,000 or more is one directly impacting a language, a widely used development library/framework or a widely used piece of software.
What are you talking about? Facebook is not a "high value target" and "this bug would not cause Facebook much damage"?
For example, if you wanted to monetize it, I have to imagine TMZ (or someone even less scrupulous) would pay a lot of money for dumps of A-list celeb and athlete Facebook accounts.
You don't think Facebook having "The Fappening Part 2" on their hands is worth more than $15k to prevent? Or having every US Government FB account simultaneously posting ISIS propaganda?
The PR for any number of scenarios like those would be an absolute nightmare for Facebook.
He's right, and you are indeed recapitulating a discussion that has happened a zillion times on HN before. At some point (maybe I haven't read far enough down on the thread), The Grugq will chime in and confirm it, just in case you were doubting it. This isn't specific to Facebook; it's a common misapprehension of how bugs are valued for all SaaS companies.
People don't pay top dollar for speculative bugs. I'm sure there's some horrible market somewhere for stolen celebrity photos, but it generates a pittance compared to the people who harvest and exploit popped desktop computers.
It's not enough to imagine some way you could profit from the bug, for the same reason that you can't make 100 million dollars simply by coming up with the idea for an interesting startup. A viable exploit is just one part of the technical and business work that goes into profiting from a vulnerability. All the work, together, has to add up to less than the value of the exploit.
Moreover: pretty much nobody is planning out elaborate criminal enterprises based on Facebook bugs, because every one of those bugs takes a different form, has a different likelihood of discovery, and has a different payoff.
The bizarre part here is that Facebook is competing against a market that the security researcher is not allowed to participate in by law.
Facebook sets the price, not the market. That's why the speculative value of a bug should be relevant, not the practical value. If this guy were allowed to openly market his bug to all parties, it would be guaranteed to be worth much more than $15k.
The price to Facebook is totally arbitrary. They could pay this guy $10 and it would still be fair under your position, because it's better than the alternative of committing a felony by finding someone to outbid Facebook.
That's almost true. If Fb bid only $10, you could see bidding simply for the right to (a) announce the bug or (b) post a hash and lord it over Fb. There's a vanity value for some of these bugs that probably goes into the hundreds of dollars.
But the rest of your point? Yep. Sounds about right. Though I don't think it's quite fair to say that "Fb sets the price, not the market", since Fb is the market for these bugs.
You may choose (like you actually do) to make-believe whatever you wish about the exploits' worthlessness, but you may also assume that there already were a lot of black hats out there that provided "service" relying on the recently covered security weakness.
Also, about the "Facebook's security team is one of the strongest and most sophisticated of any company" mantra, even a mediocre strategist after knowing at least something about his opponents can improve his attack based on that knowledge. Assuming a modicum of surveillance on traffic dynamic from Facebook security team's part, this may translate into hiding the signature of a brute-force attack by spreading it into space (using a botnet) and time (spreading out a little each individual trial), or into a more elaborate method.
Don't move the goalposts. I'm not saying there aren't black hats that target Facebook. I'm saying none of them will pay $15000, or even $500, for this or any other Fb bug.
"Don't move the goalposts. I'm not saying there aren't black hats that target Facebook."
Actually, you didn't limited yourself to "black hats that target Facebook", you put "he's right" tag on a pretty broad range of remarks! One of them was about the Facebook's super team of security experts (which I answered to, so I'm not sure what goal post moving you've seen, BTW), and another remark was "he would not even be able to find a seller, let alone one who would pay a lot" which I'm not sure I understand from which angle are you looking at things by concluding that "he's right". Let me elaborate a little bit. That bug had enough potential to power an account hacking service derived cash flow for unspecified number of black hats, as the way anyone in possession of something valuable would first and foremost try to use and only secondly - to sell, you know? In such context his remark doesn't even come to make much sense, so I'm not sure how "he's right" in your view.
I've read again dsacco's post and I see another nonsensical remark: "The total impact of the bug would be negligible." How do you judge the impact of the said bug? Would say, disrupting somewhere the digital social connections between some political figures and their mass of followers so they'd loose contact for a while (exactly when it maters) count as "negligible"? Let's stop talking about pranks around TMZ, let's talk about the most lucrative possible cases here. And all this in itself becomes possible because Facebook is a high value target (another fact dismissed by dsacco, whom you consider to be "right").
Finally, about "none of them will pay $15000, or even $500, for this or any other Fb bug" - if right now, it would so happen for me to be willing to pay for a Facebook account hijacking method those $500 (which BTW is a tempting figure), what value would this conviction of yours still hold?
I would say you were paying $500 for a vanity bug, and not be especially surprised.
What 'dsacco is saying is essentially factual. The places that buy vulnerabilities don't buy Fb account takeover bugs.
You might find someone in --- another part of the world, let's say --- who would offer you a couple thousand for that bug. You should know, if you're ever in a position to make that deal, that the person who is buying it from you is willing to kill your whole family to make a point, because that is the reason they are buying the bug from you.
But you aren't going to find that person, any more than you're going to easily find someone to sell a portable antiaircraft missile to.
"I would say you were paying $500 for a vanity bug"
No, it would be just an (admittedly shady) business investment.
"What 'dsacco is saying is essentially factual. The places that buy vulnerabilities don't buy Fb account takeover bugs."
You either didn't read my post or you are deliberately ignoring it. dsacco was wrong on so many aspects and so were you when supported him, as for what you're doing now... I'm not sure what to make of it!
I'm sorry, but I don't see anything in this comment that is responsive to anything I've written or that introduces any new argument for me to respond to.
Your comment does not reflect how vulnerability sales work in the real world.
In the real world, vulnerabilities are sold to blackhat groups who want to make a profit by attacking as many websites as possible. Generally, these websites will have valuable credit card or other information that can be stolen from a compromised server.
Compromised user accounts (not even the server! just users!) on a single website do not constitute a valuable target.
The idea that TMZ would pay a significant amount of money for this is a Hollywood plot, nothing more. Vulnerabilities are not valued highly just because you can come up with a contrived scenario in which it would be valuable to someone for some reason.
This is a market, and like any other market there are buyers and sellers who dictate supply and demand.
He's not wrong, you're just misunderstanding him. He's not saying there aren't "valuable" or "interesting" Facebook accounts. He's saying that there aren't enough Facebook accounts with immediate drop-in value to an existing and lucrative criminal enterprise to create a competitive market for Facebook bugs.
I would agree, being that I cannot immediately detail how these Facebook accounts might be useful, but any information is useful, especially credentials.
(Valuable != "immediate drop-in value")? So, he's saying the accounts aren't valuable, but they have value? The subtlety is lost on me...
The info might be useful to someone, but not to the people who are buying vulnerabilities on the black market.
Imagine going to a tech trade show and setting up a stand for your lumber business. What you're selling has value and is useful, just not to the people you're trying to sell it to.
Let's assume the position of a spammer or ~0-day blackhatter... access to the accounts of the most popular website in the world are not of interest? (You could post a URL and have millions of people click it because they trust the poster.)
Is that a retort or simply an unrelated observation?
Edit: My intent was to understand your perspective (and argue...), but this comment goes over my head, and it seems as though it was a thinly veiled insult.
What I'm understanding here is, that while it might be profitable to someone to have an exploit on hand that they can use, the actual work that goes into turning a profit from the exploit may be me costly enough that its not worth pursuing.
Not sure if you read Cryptonomicon, but there's a part there where Randy Waterhouse finds a crap load of gold in the middle of a jungle and then rationalizes that there's no easy way to get it out of there, making it worthless at that moment. That gold has value, but no liquidity.
This is a forum focused on the startup community. The difference between the merely-useful and the truly-marketable has been discussed ad nauseum on these pages, as that difference makes and breaks many startups.
But what can you really do with the Facebook login of, say Obama?
Not provoking WW3, that's for sure.
The only thing you can realistically create is a PR kerfuffle for Facebook, but considering the way to spread it would be (wait for it) on Facebook itself, there's not much money is this.
You simply log into the Bloomberg/AP/NYTimes account, post some fake economic or political news, and then call in some options you purchased the week before.
If done intelligently, this is incredibly difficult to trace. There is risk (rather than a straight-up sale), but the expected returns are probably an order of magnitude higher.
>You simply log into the Bloomberg/AP/NYTimes account, post some fake economic or political news, and then call in some options you purchased the week before.
It would likely be far cheaper and easier to execute something like this via social engineering than using an actual exploit. I'm reminded of the time Twitter user @m had his handle stolen because Apple gave up some personal info.
Given that there are likely 100s if not 1000s of FB users who may have access to Bloomberg/AP/NYTimes official page, figuring out in an automated fashion of who can be easily socially engineered isn't likely worth 15k.
Just because this isn't the typical mass vulnerability SQL injection or XSS attack on a major framework doesn't mean it's basically worthless ($15k or less).
The amount of damage that could be done to Facebook's reputation is enormous, not to mention the value of the information that could be stolen.
It all really depends on how fast FB can service the requests and how long it takes for them to notice and shut it down. Push your priority list off to a worldwide farm and watch the accounts pop out.
How long until FB would have it shut down and the affected accounts locked out?
The problem is that there's no half life. The bug dies instantaneously once discovered. It's not like 3/4 of the Internet runs "old Facebook" because they forgot to update it.
>Say they buy it for $20,000. Do you really think someone will derive $20,000 of profit from this before it's caught and patched by Facebook?
FB is publicly traded at very high volume. You can make very large bets on its movement without being noticed. A hack of 10 celebrity facebook pages could probably drop the stock 5% in one day. You'd probably be able to make at least 20 to 1 on your money using options. The right organization could clear millions.
If that were as straightforward as you claim, there would be a black market for all sorts of serverside vulnerabilities that might swing stock prices. But there isn't. One of two things is probably happening:
1. It is way less easy to predictably and profitably swing Facebook's stock than simply by hacking 10 celebrity pages.
2. For whatever reason, including the fact that crime rings premised on manipulating stocks have an annoying tendency to get caught, nobody is running this "hack Company X while sorting their stock" scam, and so even if it's possible to accomplish, the market doesn't value it.
You overestimate how much investors [and the public at large] care about this. Security issues with banks are regular occurrence - yet you don't see Chase's stock drop with every announcement of stolen CC numbers. To investors it's not worth considering unless it's catastrophic and ongoing.
This would be extremely lucrative for a media outlet. You would need way less than 5 exploited high-profile celebrity accounts to surpass the $15,000 that were awarded in profit.
The point is, it's possible that if he was a black hat, he could have gotten much more for it on the black market. Even if it could only be used once or a few times.
Bounties should not only be higher than what you can get on the black market. They should be high enough to make security experts spend their time trying to win them. Given probability of finding a bug with such impact, it is just not worth the time of any decent white hat (in terms of financial gain, sure it's nice to brag about it and that I believe is the biggest motivation).
Money wise, for Facebook, it makes zero difference if they pay him that much or 5 times more.
>> The point is, it's possible that if he was a black hat, he could have gotten much more for it on the black market. Even if it could only be used once or a few times.
This is precisely my point. No, he couldn't have. I outlined why in the comment you responded to.
>> Money wise, for Facebook, it makes zero difference if they pay him that much or 5 times more.
Leaving aside the fact that it obviously doesn't literally make "zero difference," should companies decide to pay more for things simply because they can afford to?
>Say they buy it for $20,000. Do you really think someone will derive $20,000 of profit from this before it's caught and patched by Facebook?
I can absolutely think of a situation that would make access to one person's facebook account worth way more than $20,000. Say, an unethical high-profile divorce lawyer fishing for information that would help during a multi-million dollar case. Or a political activist trying to dig up dirt on a candidate.
If I had a site with a billion users and said site had a vulnerability with significant repercussions on my business, BreakingBits, a "software security firm", would advise me not to meaningfully encourage outsiders to find and squash those vulnerabilities?
Hack into zuckerberg's id, get his card info if it's stored, and for fun change the profile pic, send the news to top blogs before letting Facebook know. How much it would cost Facebook to do damage control?
> Facebook is not a high value target, relatively speaking.
I think you got this wrong, Facebook is not the target, their users are. Which reminded me of "If a service on the Internet is free, you are the product"
yeah seriously, #2 is spot on. The moment you start brute forcing your way, network traffic gives you in and the security team will start blocking you.
By the time they find out you may have found out 1,2,3.. few accounts..
This is no way worth lots of $$ in bounty, let alone the 100k job offer, that's a joke.
this doesn't make any sense, most vulnerability you find on products are "game over" vulnerabilities. It's common. If you would give a billion dollars to every such findings in an audit then you would be pretty quickly calling bankruptcy.
Also, I can personally live for a year on that kind of money. But that's another issue.
On the other hand, that is maybe what they would have payed for a real audit of a few days/weeks and it's not even sure the vulnerability would have been found (especially considering the size of Facebook). So yeah maybe they also deserve more.
David is right about this, too. A $50,000 pentest of any major web property is likely to find multiple sev:hi vulnerabilities. By the logic the grandparent comment uses, those audits should cost more like $1.5MM.
I think it's designed to be enough to convince would-be hackers to reveal the bug, but not enough to incentivise large amounts of people to sit around all day every day trying to break Facebook for bounties.
It's not really unrestricted. Given that this is forcing the password reset, you can't silently do it, right? So anyone exploiting it knows there's a limited number of uses before people notice that their passwords are being reset by not them.
True, the restriction is that you only get a guarantee of getting in one time. I meant that there are no restrictions on what you can do once you're in. (E.g. a XSS chat hack or something like that would be restricted in that sense)
I'm sure they might encourage him to interview, but he's not going to get a serious job offer just from this. There's essentially nothing technical or skillful going on here, other than the basic coding ability to do HTTP requests in a loop and the hunch to investigate if subdomains don't rate limit.
He was resourceful enough to find a security flaw of the highest severity in the only product of a $300 billion dollar company. A hole that was somehow missed by said company's own security auditors, who collectively are probably paid many millions of dollars per year entirely to look for such holes. So that's something.
But you're right, he might have just got lucky. The one fish in a school of 100,000 who finds the hole in the net probably isn't smarter than all the other fish. But that just strengthens the argument that companies should reward very generously for these exploits, because increasing the number of white-hats looking for them is a good way to ensure that they get found by one.
Over 20k in bounties in the last year listed, this 15k bounty, and multiple unlisted amounts from Yahoo. I don't think he cares about a job offer from FB too much.
