This has been discussed many, many times on HN before. This bug would not cause Facebook much damage; in fact, Facebook and Google tend to overpay rewards for bugs for the purposes of goodwill and recruiting.
Let's examine the facts:
1. A Facebook vulnerability is dangerous to Facebook. A WordPress vulnerability is dangerous to a quarter of the internet. Facebook is not a high value target, relatively speaking.
2. A Facebook vulnerability will be patched once it is widely used. Facebook's security team is one of the strongest and most sophisticated of any company, and their processes would quickly catch this once it was used. The total impact of the bug would be negligible. You'd lose the ability to compromise accounts as soon as you tried to do it in any meaningful or lucrative way.
3. A vulnerability in Facebook might last a week before being patched, but a vulnerability in PHP will persist on the internet for years. No matter how many individual sites patch their servers, you'll still be able to pop a lonely server with social security numbers chugging along in a closet somewhere.
There really isn't much more to say about this. People claim bounties awarded by Facebook/Google/et al are undervalued every single time a bug bounty hits the front page of HN. Every single time, someone who is in the security industry patiently explains why it's not that valuable.
If someone tried to go to a blackhat group or go to the "black-market" (a shadowy, lucrative place that never seems to be very well-defined in these conversations), he would not even be able to find a seller, let alone one who would pay a lot.
What do you imagine someone would pay for this on the black-market? They'd need to profit from it. How much profit is worth their time?
Say they buy it for $20,000. Do you really think someone will derive $20,000 of profit from this before it's caught and patched by Facebook?
The only vulnerability worth $15,000 or more is one directly impacting a language, a widely used development library/framework or a widely used piece of software.
What are you talking about? Facebook is not a "high value target" and "this bug would not cause Facebook much damage"?
For example, if you wanted to monetize it, I have to imagine TMZ (or someone even less scrupulous) would pay a lot of money for dumps of A-list celeb and athlete Facebook accounts.
You don't think Facebook having "The Fappening Part 2" on their hands is worth more than $15k to prevent? Or having every US Government FB account simultaneously posting ISIS propaganda?
The PR for any number of scenarios like those would be an absolute nightmare for Facebook.
He's right, and you are indeed recapitulating a discussion that has happened a zillion times on HN before. At some point (maybe I haven't read far enough down on the thread), The Grugq will chime in and confirm it, just in case you were doubting it. This isn't specific to Facebook; it's a common misapprehension of how bugs are valued for all SaaS companies.
People don't pay top dollar for speculative bugs. I'm sure there's some horrible market somewhere for stolen celebrity photos, but it generates a pittance compared to the people who harvest and exploit popped desktop computers.
It's not enough to imagine some way you could profit from the bug, for the same reason that you can't make 100 million dollars simply by coming up with the idea for an interesting startup. A viable exploit is just one part of the technical and business work that goes into profiting from a vulnerability. All the work, together, has to add up to less than the value of the exploit.
Moreover: pretty much nobody is planning out elaborate criminal enterprises based on Facebook bugs, because every one of those bugs takes a different form, has a different likelihood of discovery, and has a different payoff.
The bizarre part here is that Facebook is competing against a market that the security researcher is not allowed to participate in by law.
Facebook sets the price, not the market. That's why the speculative value of a bug should be relevant, not the practical value. If this guy were allowed to openly market his bug to all parties, it would be guaranteed to be worth much more than $15k.
The price to Facebook is totally arbitrary. They could pay this guy $10 and it would still be fair under your position, because it's better than the alternative of committing a felony by finding someone to outbid Facebook.
That's almost true. If Fb bid only $10, you could see bidding simply for the right to (a) announce the bug or (b) post a hash and lord it over Fb. There's a vanity value for some of these bugs that probably goes into the hundreds of dollars.
But the rest of your point? Yep. Sounds about right. Though I don't think it's quite fair to say that "Fb sets the price, not the market", since Fb is the market for these bugs.
You may choose (like you actually do) to make-believe whatever you wish about the exploits' worthlessness, but you may also assume that there already were a lot of black hats out there that provided "service" relying on the recently covered security weakness.
Also, about the "Facebook's security team is one of the strongest and most sophisticated of any company" mantra, even a mediocre strategist after knowing at least something about his opponents can improve his attack based on that knowledge. Assuming a modicum of surveillance on traffic dynamic from Facebook security team's part, this may translate into hiding the signature of a brute-force attack by spreading it into space (using a botnet) and time (spreading out a little each individual trial), or into a more elaborate method.
Don't move the goalposts. I'm not saying there aren't black hats that target Facebook. I'm saying none of them will pay $15000, or even $500, for this or any other Fb bug.
"Don't move the goalposts. I'm not saying there aren't black hats that target Facebook."
Actually, you didn't limited yourself to "black hats that target Facebook", you put "he's right" tag on a pretty broad range of remarks! One of them was about the Facebook's super team of security experts (which I answered to, so I'm not sure what goal post moving you've seen, BTW), and another remark was "he would not even be able to find a seller, let alone one who would pay a lot" which I'm not sure I understand from which angle are you looking at things by concluding that "he's right". Let me elaborate a little bit. That bug had enough potential to power an account hacking service derived cash flow for unspecified number of black hats, as the way anyone in possession of something valuable would first and foremost try to use and only secondly - to sell, you know? In such context his remark doesn't even come to make much sense, so I'm not sure how "he's right" in your view.
I've read again dsacco's post and I see another nonsensical remark: "The total impact of the bug would be negligible." How do you judge the impact of the said bug? Would say, disrupting somewhere the digital social connections between some political figures and their mass of followers so they'd loose contact for a while (exactly when it maters) count as "negligible"? Let's stop talking about pranks around TMZ, let's talk about the most lucrative possible cases here. And all this in itself becomes possible because Facebook is a high value target (another fact dismissed by dsacco, whom you consider to be "right").
Finally, about "none of them will pay $15000, or even $500, for this or any other Fb bug" - if right now, it would so happen for me to be willing to pay for a Facebook account hijacking method those $500 (which BTW is a tempting figure), what value would this conviction of yours still hold?
I would say you were paying $500 for a vanity bug, and not be especially surprised.
What 'dsacco is saying is essentially factual. The places that buy vulnerabilities don't buy Fb account takeover bugs.
You might find someone in --- another part of the world, let's say --- who would offer you a couple thousand for that bug. You should know, if you're ever in a position to make that deal, that the person who is buying it from you is willing to kill your whole family to make a point, because that is the reason they are buying the bug from you.
But you aren't going to find that person, any more than you're going to easily find someone to sell a portable antiaircraft missile to.
"I would say you were paying $500 for a vanity bug"
No, it would be just an (admittedly shady) business investment.
"What 'dsacco is saying is essentially factual. The places that buy vulnerabilities don't buy Fb account takeover bugs."
You either didn't read my post or you are deliberately ignoring it. dsacco was wrong on so many aspects and so were you when supported him, as for what you're doing now... I'm not sure what to make of it!
I'm sorry, but I don't see anything in this comment that is responsive to anything I've written or that introduces any new argument for me to respond to.
Your comment does not reflect how vulnerability sales work in the real world.
In the real world, vulnerabilities are sold to blackhat groups who want to make a profit by attacking as many websites as possible. Generally, these websites will have valuable credit card or other information that can be stolen from a compromised server.
Compromised user accounts (not even the server! just users!) on a single website do not constitute a valuable target.
The idea that TMZ would pay a significant amount of money for this is a Hollywood plot, nothing more. Vulnerabilities are not valued highly just because you can come up with a contrived scenario in which it would be valuable to someone for some reason.
This is a market, and like any other market there are buyers and sellers who dictate supply and demand.
He's not wrong, you're just misunderstanding him. He's not saying there aren't "valuable" or "interesting" Facebook accounts. He's saying that there aren't enough Facebook accounts with immediate drop-in value to an existing and lucrative criminal enterprise to create a competitive market for Facebook bugs.
I would agree, being that I cannot immediately detail how these Facebook accounts might be useful, but any information is useful, especially credentials.
(Valuable != "immediate drop-in value")? So, he's saying the accounts aren't valuable, but they have value? The subtlety is lost on me...
The info might be useful to someone, but not to the people who are buying vulnerabilities on the black market.
Imagine going to a tech trade show and setting up a stand for your lumber business. What you're selling has value and is useful, just not to the people you're trying to sell it to.
Let's assume the position of a spammer or ~0-day blackhatter... access to the accounts of the most popular website in the world are not of interest? (You could post a URL and have millions of people click it because they trust the poster.)
Is that a retort or simply an unrelated observation?
Edit: My intent was to understand your perspective (and argue...), but this comment goes over my head, and it seems as though it was a thinly veiled insult.
What I'm understanding here is, that while it might be profitable to someone to have an exploit on hand that they can use, the actual work that goes into turning a profit from the exploit may be me costly enough that its not worth pursuing.
Not sure if you read Cryptonomicon, but there's a part there where Randy Waterhouse finds a crap load of gold in the middle of a jungle and then rationalizes that there's no easy way to get it out of there, making it worthless at that moment. That gold has value, but no liquidity.
This is a forum focused on the startup community. The difference between the merely-useful and the truly-marketable has been discussed ad nauseum on these pages, as that difference makes and breaks many startups.
But what can you really do with the Facebook login of, say Obama?
Not provoking WW3, that's for sure.
The only thing you can realistically create is a PR kerfuffle for Facebook, but considering the way to spread it would be (wait for it) on Facebook itself, there's not much money is this.
You simply log into the Bloomberg/AP/NYTimes account, post some fake economic or political news, and then call in some options you purchased the week before.
If done intelligently, this is incredibly difficult to trace. There is risk (rather than a straight-up sale), but the expected returns are probably an order of magnitude higher.
>You simply log into the Bloomberg/AP/NYTimes account, post some fake economic or political news, and then call in some options you purchased the week before.
It would likely be far cheaper and easier to execute something like this via social engineering than using an actual exploit. I'm reminded of the time Twitter user @m had his handle stolen because Apple gave up some personal info.
Given that there are likely 100s if not 1000s of FB users who may have access to Bloomberg/AP/NYTimes official page, figuring out in an automated fashion of who can be easily socially engineered isn't likely worth 15k.
Just because this isn't the typical mass vulnerability SQL injection or XSS attack on a major framework doesn't mean it's basically worthless ($15k or less).
The amount of damage that could be done to Facebook's reputation is enormous, not to mention the value of the information that could be stolen.
It all really depends on how fast FB can service the requests and how long it takes for them to notice and shut it down. Push your priority list off to a worldwide farm and watch the accounts pop out.
How long until FB would have it shut down and the affected accounts locked out?
The problem is that there's no half life. The bug dies instantaneously once discovered. It's not like 3/4 of the Internet runs "old Facebook" because they forgot to update it.
>Say they buy it for $20,000. Do you really think someone will derive $20,000 of profit from this before it's caught and patched by Facebook?
FB is publicly traded at very high volume. You can make very large bets on its movement without being noticed. A hack of 10 celebrity facebook pages could probably drop the stock 5% in one day. You'd probably be able to make at least 20 to 1 on your money using options. The right organization could clear millions.
If that were as straightforward as you claim, there would be a black market for all sorts of serverside vulnerabilities that might swing stock prices. But there isn't. One of two things is probably happening:
1. It is way less easy to predictably and profitably swing Facebook's stock than simply by hacking 10 celebrity pages.
2. For whatever reason, including the fact that crime rings premised on manipulating stocks have an annoying tendency to get caught, nobody is running this "hack Company X while sorting their stock" scam, and so even if it's possible to accomplish, the market doesn't value it.
You overestimate how much investors [and the public at large] care about this. Security issues with banks are regular occurrence - yet you don't see Chase's stock drop with every announcement of stolen CC numbers. To investors it's not worth considering unless it's catastrophic and ongoing.
This would be extremely lucrative for a media outlet. You would need way less than 5 exploited high-profile celebrity accounts to surpass the $15,000 that were awarded in profit.
The point is, it's possible that if he was a black hat, he could have gotten much more for it on the black market. Even if it could only be used once or a few times.
Bounties should not only be higher than what you can get on the black market. They should be high enough to make security experts spend their time trying to win them. Given probability of finding a bug with such impact, it is just not worth the time of any decent white hat (in terms of financial gain, sure it's nice to brag about it and that I believe is the biggest motivation).
Money wise, for Facebook, it makes zero difference if they pay him that much or 5 times more.
>> The point is, it's possible that if he was a black hat, he could have gotten much more for it on the black market. Even if it could only be used once or a few times.
This is precisely my point. No, he couldn't have. I outlined why in the comment you responded to.
>> Money wise, for Facebook, it makes zero difference if they pay him that much or 5 times more.
Leaving aside the fact that it obviously doesn't literally make "zero difference," should companies decide to pay more for things simply because they can afford to?
>Say they buy it for $20,000. Do you really think someone will derive $20,000 of profit from this before it's caught and patched by Facebook?
I can absolutely think of a situation that would make access to one person's facebook account worth way more than $20,000. Say, an unethical high-profile divorce lawyer fishing for information that would help during a multi-million dollar case. Or a political activist trying to dig up dirt on a candidate.
If I had a site with a billion users and said site had a vulnerability with significant repercussions on my business, BreakingBits, a "software security firm", would advise me not to meaningfully encourage outsiders to find and squash those vulnerabilities?
Hack into zuckerberg's id, get his card info if it's stored, and for fun change the profile pic, send the news to top blogs before letting Facebook know. How much it would cost Facebook to do damage control?
> Facebook is not a high value target, relatively speaking.
I think you got this wrong, Facebook is not the target, their users are. Which reminded me of "If a service on the Internet is free, you are the product"
yeah seriously, #2 is spot on. The moment you start brute forcing your way, network traffic gives you in and the security team will start blocking you.
By the time they find out you may have found out 1,2,3.. few accounts..
This is no way worth lots of $$ in bounty, let alone the 100k job offer, that's a joke.
Let's examine the facts:
1. A Facebook vulnerability is dangerous to Facebook. A WordPress vulnerability is dangerous to a quarter of the internet. Facebook is not a high value target, relatively speaking.
2. A Facebook vulnerability will be patched once it is widely used. Facebook's security team is one of the strongest and most sophisticated of any company, and their processes would quickly catch this once it was used. The total impact of the bug would be negligible. You'd lose the ability to compromise accounts as soon as you tried to do it in any meaningful or lucrative way.
3. A vulnerability in Facebook might last a week before being patched, but a vulnerability in PHP will persist on the internet for years. No matter how many individual sites patch their servers, you'll still be able to pop a lonely server with social security numbers chugging along in a closet somewhere.
There really isn't much more to say about this. People claim bounties awarded by Facebook/Google/et al are undervalued every single time a bug bounty hits the front page of HN. Every single time, someone who is in the security industry patiently explains why it's not that valuable.
If someone tried to go to a blackhat group or go to the "black-market" (a shadowy, lucrative place that never seems to be very well-defined in these conversations), he would not even be able to find a seller, let alone one who would pay a lot.
What do you imagine someone would pay for this on the black-market? They'd need to profit from it. How much profit is worth their time?
Say they buy it for $20,000. Do you really think someone will derive $20,000 of profit from this before it's caught and patched by Facebook?
The only vulnerability worth $15,000 or more is one directly impacting a language, a widely used development library/framework or a widely used piece of software.
For further reading on bug bounty valuation:
https://news.ycombinator.com/item?id=7106953
https://news.ycombinator.com/item?id=9302188
https://news.ycombinator.com/item?id=9040855
https://news.ycombinator.com/item?id=9041017
https://news.ycombinator.com/item?id=8563884