[HN Gopher] I Hacked into Facebook's Legal Department Admin Panel ___________________________________________________________________ I Hacked into Facebook's Legal Department Admin Panel Author : hackerpain Score : 226 points Date : 2020-12-12 20:17 UTC (2 hours ago) (HTM) web link (alaa.blog) (TXT) w3m dump (alaa.blog) | atum47 wrote: | well, I wasn't gonna to comment about this subject, but here we | go: I find this value ($7,500.00) kind of low for a discovery | like this. | | The other day, someone shared a link to an app [1] that | estimastes how much a only fan user makes. I got tell, it got to | me. I was never money orientated and I don't plan to become; but | seeing how much someone makes by being naked in front of a web | cam vs a software engineer salary is kinda sad. | | some of the only fans users makes in a month what a plain SE | would make in a year. besides the fact that there are some | serious wrong thing with the world, I thought this kind of skill | would be more rewarded. Giving the fact that you could exploit | this vulnerability to make a lot more money (or am I mistaken?). | | 1 - https://news.ycombinator.com/item?id=25393191 | Latty wrote: | Describing that work as "being naked in front of a webcam" is | like calling software development "typing at a computer". You | can make any job sounds trivial and downplay its value by | describing it in a way that removes the skill and effort | involved. | | I'm not sure why you feel the need to imply some else's work | isn't valuable to make the point that this work should be more | valuable. | atum47 wrote: | ok, I'll bite. What kind of skill to you need to have, | besides being born attractive, to succeed in such business? | auntienomen wrote: | Like a lot of businesses in the addiction space, cam | workers make a lot of their money off whales. So the profit | comes from high effort relationship maintenance / customer | service. | julianlam wrote: | Someone attractive can have the charisma of a dead fish. | program9 wrote: | People will pay for that | grawprog wrote: | >but seeing how much someone makes by being naked in front of a | web cam vs a software engineer salary is kinda sad. | | >some of the only fans users makes in a month what a plain SE | would make in a year | | I'm sure if you could think of a way to make software engineers | as appealing as naked women, you'd probably find yourself a | pretty great job paying well over the people on onlyfans. | atum47 wrote: | well, I might. I finish college back in 2019 and my teacher | who was my counselor, runs several projects trying to make SE | and CS more attractive to girls. I guess she'll have a harder | job to do now, knowing that a girl could rely on her beauty | to makes thousands of dollars exposing herself to strangers. | | Damn it, I have a two year old niece, I guess me and my | brother better think something fast, so when shes a teenager | she'll be interested in STEM. | jrochkind1 wrote: | So... that's just not how any of that works. Do you really | think most of the women you know are choosing to be on | onlyfans _and_ are making huge money off it? Hint, no. Not | a choice most would make _and_ most accounts there are not | making anykind of money like that. | | But you seem really upset about all this. To be clear, what | you are mad about is how there are lots of men willing to | pay to see naked and sexual content online, right? That | really upsets you? | atum47 wrote: | not at all. sex workers will exists forever. I guess my | beef is how easy it is for young girls to become one now. | Are you struggling with calculus? Is physics giving you a | hard time? Well, let me tell you about only fans... | | Joke apart, the appeal were already there. making money | from the comfort of your bed. Seeing the how much money | you can make thought, that's what really broke my back. | grawprog wrote: | >who was my counselor, runs several projects trying to make | SE and CS more attractive to girls. | | This is a good thing. Sorry if my above comment was | dismissive and callous. Honestly, it is kind of sad as a | society, that's what ends up being valued more highly. | | >knowing that a girl could rely on her beauty to makes | thousands of dollars exposing herself to strangers. | | That's not really anything new. Such things have always | existed. | | To be honest, my comment was mainly in reference to the | business model itself. It's hard to compare a salary or | wage with lots of money from donations or subscriptions. | | I'm sure there's people on onlyfans that make barely | anything and there's lots of software engineers with high | paying jobs. | | >Damn it, I have a two year old niece, I guess me and my | brother better think something fast, so when shes a | teenager she'll be interested in STEM. | | I dunno, teach her self respect and explain the value in | success using ones talents and abilities as opposed to | exploiting their appearance or bodies. | | There's always been the option for girls to do the second | one. I'm glad your teacher and people like her are trying | hard to give girls more options like the first. | toyg wrote: | It was always thus. In fact, until the '60s, a girl _had | to_ rely on her beauty and personality _to eat and survive_ | , i.e. by marrying. | | I have a daughter and, while obviously I'd prefer she | didn't end up on onlyfans, I really don't want to limit | what she should do or what talent she should leverage to | reach happiness and/or prosperity. | throwaway3699 wrote: | And software engineers make way more money than most healthcare | workers... "There's something seriously wrong with the | world"... | | Main reason this is so is because of scale. One healthcare | worker can look after a ward at most, one software engineer can | write software that affects millions in a very small way, and | some onlyfans accounts hit a smaller scale but with more | revenue per user on average. | atum47 wrote: | The same argument I made for SE could be easily done for | health workers. They are very important. | | but I'll say this: I saw everywhere how underrated health | workers are, and I agree. They should be paid a lot more; | even more than athletes, in my book. | | but how about SE and CS, have you heard anything? the whole | economy would crumble, if weren't for online business. | internet, apps, video chats, smart phones... I'm yet to see | an AD saying thank you for what those brilliant CS and SE | people have done for the world. | Dumble wrote: | I find the paragraph where the author described the exploit hard | to read. | | Basically, he triggered the "Password Reset" process and then | guessed the reset token? | vasuki wrote: | > I sent random requests using intruder with a CSRF token and | random emails with a new password to this endpoint | /savepassword | | So this endpoint simply allowed setting up a new password with | a POST request for the specified email address and he was able | to guess the email .. -\\_(tsu)_/- | [deleted] | zaroth wrote: | That's how I read it as well, almost too absurd to believe. | | SetPassword and the parameters to the function are just | username and newPassword. | | I guess they assumed there was authentication happening | before the request would even be served (pre-existing | session). | throwitaway1235 wrote: | You brilliant guys need to find a way to extract more than $7500 | for solutions to problems that less than what, 2%?, of the worlds | population can solve. | | If I were your tech agent I'd demand Facebook pay out $75,000 | minimum for this specific problem. | sltEvas wrote: | 2%? You have an interesting idea of the world's population. | Just think about what that means. It means 2 out of 100 people | can hack into Facebook's Legal Department Admin Panel. | | I mean if we are talking "mentally capable to achieve that | within a decade if the person does nothing else but strive to | that goal"... Perhaps. | | If we are talking "sit down right now and do it", then it's | more like what... 10,000-100,000 people on earth? Which makes | for more like 0.0014%? | jiofih wrote: | So logically you deserve to be paid 0.0014% of Facebook's | yearly revenue, which is around $1,176,000.00! /s | scarlac wrote: | > I'd demand Facebook pay out $75,000 minimum | | Wouldn't demanding money be blackmailing? | | A story from one of my startups: A student reached out to us | regarding a security vulnerability on the website, demanding | money for it. He refused to say what it was or provide evidence | at first, so we couldn't assess it. He said he'd disclose it to | others if we didn't. | | I definitely felt blackmailed. I am not a lawyer but it felt | illegal. Maybe someone can chime in to say if it is? | rhexs wrote: | Unless litigating students is something your startup is | interested in, I'd recommend ignoring that line of thinking | and just hiring a good pen tester for a few months. | ericjang wrote: | Rather than the exploiter setting an arbitrary price (which | would be closer to blackmail), I think parent comment was | saying that the fair market value of disclosing such a bug | was worth closer to $75k given the unique skill set required. | | Skilled engineers turn to cybercrime when white-hat bounties | are insufficiently rewarding, so it is in everyone's interest | to pay competitive rates for finding security | vulnerabilities. | anonu wrote: | $7500 seems low for this bug. If I were Facebook i would raise | it. Why? | | Cost/benefit analysis tells me I could probably get a lot more | for this bug going to some more nefarious actors. | | $7500 is a drop in the ocean for a company like FB who has a | reputation to keep intact. | zitterbewegung wrote: | How do you know if this is happening or not? | polishdude20 wrote: | What is this fuzzing tool you use to get the endpoints? | tptacek wrote: | It's sort of implied that it's not Burp Intruder, but Burp | Intruder would be a pretty normal way to do this. | OminousWeapons wrote: | Dirbuster, gobuster, or some variant is probably what was used | here. | trav4225 wrote: | I've always wondered, aren't these types of bug investigations | illegal? Aren't the investigators concerned about criminal | prosecution? Not being snarky; I'm asking sincerely. | KMnO4 wrote: | Generally companies prefer if you find bugs and disclose them | before malicious parties find and exploit them. | | Most websites have a "responsible disclosure" policy. If you | can't find this linked on their main page, you can often find | it at /security.txt or /.well-known/security.txt | | [0]: https://securitytxt.org/ | | [1]: https://facebook.com/security.txt | jcims wrote: | In general you are on shaky legal ground. | | However, some companies (including Facebook) have a bug bounty | program that provides a prescribed safe harbor that you can | operate within to discover vulnerabilities within their | products or infrastructure in exchange for some kind of | recognition or award. | | The terms of Facebooks bounty are here: | https://www.facebook.com/whitehat | | Based on a cursory glance and the fact that this individual was | awarded in their program, it appears they operated by the book. | | Prosecuting activity that happens outside of these parameters | has definitely happened in the past and will continue. It's not | always a cut and dried decision. It can be difficult/expensive | to effectively prosecute and you may find a lot of social | backlash depending on the nature and impact of the activity. | bredren wrote: | Yes. Most competent tech companies permissibly allow | "security research" like this. | | If you are genuinely trying to find exploits in good faith, | and are acting within the parameters spelled out in their bug | bounty program, it's all good. You also may get paid. | | This blog entry sort of dramatized what happened for clicks. | I actually think it's unwise to characterize any exploit like | this, because it adds a PR dimension consumer companies just | don't want or need. | | It sort of creates a sense of adversarial relationship which | isn't really what FB is after. | | But it sounds like a risky endeavor put this way and probably | helps get retweets attention in the short term. | jcims wrote: | Totally agree with your perspective here. There's security | research and there's bug prospecting. Both have streaks of | narcissists and showboaters but the latter seems to be | thick with them. | markdown wrote: | > There's security research and there's bug prospecting. | | If the end result of your work isn't a whitepaper or | something similar from which others can learn, then you | can call your work "security research". | | Bug bounty programs are mainly targeted at bug | prospectors. | | > Both have streaks of narcissists and showboaters but | the latter seems to be thick with them. | | Thank god for that. Blog posts like the one this thread | is about are really valuable to those of us interested in | the work of others. | jcims wrote: | >Thank god for that. Blog posts like the one this thread | is about are really valuable to those of us interested in | the work of others. | | I can see how what I said could be interpreted as 'folks | that blog about their work are narcissists'. That wasn't | my intent. The headline is a bit clickbaity but the | explanation is a good walkthrough. This isn't the far end | of the spectrum that I had in mind. Watching twitter or | working for a bug bounty program is a better way to get | exposed to that set. | curiousgal wrote: | Many of these guys are based in Third World countries, it's | more complicated to go after them over petty stuff. | Cyph0n wrote: | This has nothing to do with it. | | See sibling comments for the actual reason: Facebook and | other companies typically allow this kind of security | research, as long as the intent is not malicious and the | researcher operates within some boundaries. | ikiris wrote: | Would you rather someone find it and report it to you, or sell | it on the dark web / exploit it? | | Making this kind of research illegal only makes sure the end | result is always the latter. | snazz wrote: | Facebook allows people hunting for bugs to find them on | approved subdomains following their bug bounty policy. | detaro wrote: | Places with a bug bounty program typically publicly state rules | for what they think is ok for a researcher to do, specifically | to avoid that problem. Without permission like that, yes, such | an investigation can quickly move into legally dangerous areas, | and not all companies have gotten the idea that if someone is | willing to tell you about a problem you want them on your side, | threatening or suing them just means the next time someone | finds something you're not told. (of course that's not a free- | for-all for researchers, if you start actually poking in | private data or hack actual peoples accounts that's a problem) | [deleted] | heavyset_go wrote: | In the US, yes. Unauthorized access and computer trespass is | often felonious. People have gone to prison for logging into an | email account by guessing the password[1]. | | [1] https://www.helpnetsecurity.com/2010/11/12/palin-e-mail- | hack... | iso8859-1 wrote: | First pentester I found with 12k followers on Instagram: | https://www.instagram.com/al_shwele/ but 8 on GitHub: | https://github.com/Alaa-abdulridha | | Instagram keeps surprising me... | Traubenfuchs wrote: | The majority of the accounts following him have 0 posts, very | low amount of followers and follow thousands of other people. | They are most likely bought or collected via an online bot | tool. Further quantitative evidence: His posts have a very low | amount of likes and comments. | pletsch wrote: | 61 likes off 13k followers..yeah, that's a tough sell. | Debug_Overload wrote: | > The majority of the accounts following him have 0 posts, | very low amount of followers and follow thousands of other | people. | | There's also the issue of "follower farmers". Basically, some | spam accounts start following tens of thousands of people | hoping at least some will check their profiles, maybe follow | them back or click on their spam. | | I noticed this mostly on Twitter, and after some digging, it | turns out to be a common tactic used by spammer bots (or umm, | "marketting teams"). I don't know how common that issue is on | Instagram though but it could be same. | [deleted] | Cyph0n wrote: | Not sure about that account, but penetration testing is | actually fairly popular in the Middle East. Cost of living is | typically quite low, so decent researchers can make a living | from bug bounties. | | Fun fact: Tunisia, a relatively small North African country, | was awarded the second highest number of Facebook bounties this | year[1]. | | [1]: https://about.fb.com/news/2020/11/bug-bounty-program-10th- | an... | lqet wrote: | Interesting, but missing words and strange/missing punctuation | make this a bit hard to read. | JadoJodo wrote: | I suspect this is an ESL post. | exlurker wrote: | ESL = English as Second Language. Had to look it up. | toyg wrote: | It read more like an ADHD post (no offense), the author | clearly had no time to waste on full stops. | z3t4 wrote: | Judging my the response letter it seems they think he only | managed to reset a password... not _setting_ the password. Will | be interesting to read the follow up. | ForHackernews wrote: | $7500? Why are these bug bounties so piddling? | | How much would an exploit like this be worth on the black market? | What's the potential loss / liability on Facebook's side? | Hundreds of thousands? Millions? | tptacek wrote: | There is no market for bugs like these. | saltyshake wrote: | not even for nation states/APTs? Are you sure about that? | _tk_ wrote: | I can't speak for Thomas- but generally you'd want to | invest your money in a vuln that is rather static. Web | applications with attack surfaces that are constantly | changing are not a good fit for a sophisticated attack with | potentially huge blowback. | dennisy wrote: | Could you please elaborate? | tptacek wrote: | Sorry, I didn't write clearly. What I meant was, there is | no market for RCEs in random Facebook backoffice sites. | VWWHFSfQ wrote: | Where are you going to go to sell it? are you going to go | find some tor hidden service with a forum that you can post | your exploit on and hope that somebody will give you some | bitcoins for it? You think that those are not under heavy | surveillance already? The "black market" for this kind of | thing is way overblown. And if you think you can just go | sell it to some nation state, think again. That's an easy | way to end up in a federal supermax. | mszcz wrote: | Isn't legal involved in most business moves? Getting a wind | of those ahead of a public announcement surely must be worth | something ;) | detaro wrote: | A "market" needs a bit more than "is worth something". | | What multiplier of the $7500 bounty would you want for the | trouble of committing a crime? Who's the buyer (FB afaik | doesn't buy a whole lot of publicly traded companies, so it | probably needs to be someone who can get into the deals, | and quickly)? How do you find them? How do you convince | that buyer that your deal is worth the money and the hassle | of committing a crime? How do you trust the buyer? How do | you handle it if the hole gets closed before the buyer can | profit? How do you value the risk it gets closed before you | got your deal? Does all that work out in a way that you | really don't want to take the bounty? | | People buying backdoor access into companies probably | happens occasionally, but it's probably not the easy high- | profit thing compared to bounties many people think, but | rather on the level of selling account information by the | dozen for a few bucks - and for something like that you'll | burn them quickly. | mszcz wrote: | Didn't say it was easy to monetize. I do recall a bust, | some time ago, of a ring that used prerelease (?) | announcement pdfs already placed on publicly accessible | servers (?) as a source of insider alpha. | | ('?' because I'm on my third whiskey and about to turn in | :) | detaro wrote: | Yeah, the response is purely in context of the mentions | of "black market" value higher up the thread. Being able | to turn potential gain for someone into actual money for | you is the key issue. | tptacek wrote: | I believe a good way to think about the market for | vulnerabilities is this: | | There are markets for vulnerabilities that slot | seamlessly into existing business processes. In other | words, you can tend to find a buyer for a vulnerability | that would replace another vulnerability already being | used, that accomplishes pretty much exactly the same | thing as that vulnerability. The more people run that | business process, the more likely it is that there's a | liquid market. | | Lots of organizations have business processes that rely | on browser RCEs. Generally, there aren't many | organizations that have business process that rely on | serverside vulnerabilities in line-of-business | applications that have instantaneous half-lives, because | once the patch is developed they're gone. | detaro wrote: | Interesting. I guess a real-world analogy is theft of | valuables. If you steal random money, that's easy to turn | into value. There's a harder to access criminal industry | smelting down gold, which will equally reduce jewelry and | priceless museum artifacts to material value. And a | unique well-known painting is pretty much impossible to | sell if you aren't already connected to a buyer with a | specific interest. | tedunangst wrote: | In other words, how much would Pepsi pay for the secret | recipe to Coke? | [deleted] | xwdv wrote: | Hedge funds that employ blackhat hackers to steal | confidential information from a public company would buy it. | paxys wrote: | There is no easily accessible "black market" for a hack like | this. As an average person what is your alternative really? | Pick up the phone and call the government of Iran? | | It is far more convenient (and safer) to just take the | guaranteed ~$10K and move on with your life. | ForHackernews wrote: | It doesn't have to be "easily accessible" to be valuable. | | Corporate espionage exists, insider trading exists (and is | more common than you might think), there's any number of | parties who might pay for insider info (once properly | laundered) about Facebook activities. | | Why would "the government of Iran" care about what Facebook | is up to? Isn't FB banned in Iran? | fakedang wrote: | You forget that intelligence and espionage goes both ways. | Iran could use FB in some way to attack the US, just like | Russia did, just as it could shield itself from FB. | BLKNSLVR wrote: | I've deleted my comment, but will replace it with this | interesting discussion: | | https://news.ycombinator.com/item?id=20651210 | travmatt wrote: | ~10k and a minor hit of publicity. If you're a security | researcher I imagine that this is a solid boost to your | reputation. | rriepe wrote: | > Pick up the phone and call the government of Iran? | | Would that work? Asking for a friend. | toyg wrote: | Even if it did, you wouldn't want to do it. Someone like | that can dispatch goons after the deal, to make sure | they'll be the only ones to know the hole. | dang wrote: | Url changed from https://alaa0x2.medium.com/how-i-hacked- | facebook-part-one-28..., which points to this. ___________________________________________________________________ (page generated 2020-12-12 23:00 UTC)