[HN Gopher] I Hacked into Facebook's Legal Department Admin Panel
___________________________________________________________________
I Hacked into Facebook's Legal Department Admin Panel
Author : hackerpain
Score : 226 points
Date : 2020-12-12 20:17 UTC (2 hours ago)
(HTM) web link (alaa.blog)
(TXT) w3m dump (alaa.blog)
| atum47 wrote:
| well, I wasn't gonna to comment about this subject, but here we
| go: I find this value ($7,500.00) kind of low for a discovery
| like this.
|
| The other day, someone shared a link to an app [1] that
| estimastes how much a only fan user makes. I got tell, it got to
| me. I was never money orientated and I don't plan to become; but
| seeing how much someone makes by being naked in front of a web
| cam vs a software engineer salary is kinda sad.
|
| some of the only fans users makes in a month what a plain SE
| would make in a year. besides the fact that there are some
| serious wrong thing with the world, I thought this kind of skill
| would be more rewarded. Giving the fact that you could exploit
| this vulnerability to make a lot more money (or am I mistaken?).
|
| 1 - https://news.ycombinator.com/item?id=25393191
| Latty wrote:
| Describing that work as "being naked in front of a webcam" is
| like calling software development "typing at a computer". You
| can make any job sounds trivial and downplay its value by
| describing it in a way that removes the skill and effort
| involved.
|
| I'm not sure why you feel the need to imply some else's work
| isn't valuable to make the point that this work should be more
| valuable.
| atum47 wrote:
| ok, I'll bite. What kind of skill to you need to have,
| besides being born attractive, to succeed in such business?
| auntienomen wrote:
| Like a lot of businesses in the addiction space, cam
| workers make a lot of their money off whales. So the profit
| comes from high effort relationship maintenance / customer
| service.
| julianlam wrote:
| Someone attractive can have the charisma of a dead fish.
| program9 wrote:
| People will pay for that
| grawprog wrote:
| >but seeing how much someone makes by being naked in front of a
| web cam vs a software engineer salary is kinda sad.
|
| >some of the only fans users makes in a month what a plain SE
| would make in a year
|
| I'm sure if you could think of a way to make software engineers
| as appealing as naked women, you'd probably find yourself a
| pretty great job paying well over the people on onlyfans.
| atum47 wrote:
| well, I might. I finish college back in 2019 and my teacher
| who was my counselor, runs several projects trying to make SE
| and CS more attractive to girls. I guess she'll have a harder
| job to do now, knowing that a girl could rely on her beauty
| to makes thousands of dollars exposing herself to strangers.
|
| Damn it, I have a two year old niece, I guess me and my
| brother better think something fast, so when shes a teenager
| she'll be interested in STEM.
| jrochkind1 wrote:
| So... that's just not how any of that works. Do you really
| think most of the women you know are choosing to be on
| onlyfans _and_ are making huge money off it? Hint, no. Not
| a choice most would make _and_ most accounts there are not
| making anykind of money like that.
|
| But you seem really upset about all this. To be clear, what
| you are mad about is how there are lots of men willing to
| pay to see naked and sexual content online, right? That
| really upsets you?
| atum47 wrote:
| not at all. sex workers will exists forever. I guess my
| beef is how easy it is for young girls to become one now.
| Are you struggling with calculus? Is physics giving you a
| hard time? Well, let me tell you about only fans...
|
| Joke apart, the appeal were already there. making money
| from the comfort of your bed. Seeing the how much money
| you can make thought, that's what really broke my back.
| grawprog wrote:
| >who was my counselor, runs several projects trying to make
| SE and CS more attractive to girls.
|
| This is a good thing. Sorry if my above comment was
| dismissive and callous. Honestly, it is kind of sad as a
| society, that's what ends up being valued more highly.
|
| >knowing that a girl could rely on her beauty to makes
| thousands of dollars exposing herself to strangers.
|
| That's not really anything new. Such things have always
| existed.
|
| To be honest, my comment was mainly in reference to the
| business model itself. It's hard to compare a salary or
| wage with lots of money from donations or subscriptions.
|
| I'm sure there's people on onlyfans that make barely
| anything and there's lots of software engineers with high
| paying jobs.
|
| >Damn it, I have a two year old niece, I guess me and my
| brother better think something fast, so when shes a
| teenager she'll be interested in STEM.
|
| I dunno, teach her self respect and explain the value in
| success using ones talents and abilities as opposed to
| exploiting their appearance or bodies.
|
| There's always been the option for girls to do the second
| one. I'm glad your teacher and people like her are trying
| hard to give girls more options like the first.
| toyg wrote:
| It was always thus. In fact, until the '60s, a girl _had
| to_ rely on her beauty and personality _to eat and survive_
| , i.e. by marrying.
|
| I have a daughter and, while obviously I'd prefer she
| didn't end up on onlyfans, I really don't want to limit
| what she should do or what talent she should leverage to
| reach happiness and/or prosperity.
| throwaway3699 wrote:
| And software engineers make way more money than most healthcare
| workers... "There's something seriously wrong with the
| world"...
|
| Main reason this is so is because of scale. One healthcare
| worker can look after a ward at most, one software engineer can
| write software that affects millions in a very small way, and
| some onlyfans accounts hit a smaller scale but with more
| revenue per user on average.
| atum47 wrote:
| The same argument I made for SE could be easily done for
| health workers. They are very important.
|
| but I'll say this: I saw everywhere how underrated health
| workers are, and I agree. They should be paid a lot more;
| even more than athletes, in my book.
|
| but how about SE and CS, have you heard anything? the whole
| economy would crumble, if weren't for online business.
| internet, apps, video chats, smart phones... I'm yet to see
| an AD saying thank you for what those brilliant CS and SE
| people have done for the world.
| Dumble wrote:
| I find the paragraph where the author described the exploit hard
| to read.
|
| Basically, he triggered the "Password Reset" process and then
| guessed the reset token?
| vasuki wrote:
| > I sent random requests using intruder with a CSRF token and
| random emails with a new password to this endpoint
| /savepassword
|
| So this endpoint simply allowed setting up a new password with
| a POST request for the specified email address and he was able
| to guess the email .. -\\_(tsu)_/-
| [deleted]
| zaroth wrote:
| That's how I read it as well, almost too absurd to believe.
|
| SetPassword and the parameters to the function are just
| username and newPassword.
|
| I guess they assumed there was authentication happening
| before the request would even be served (pre-existing
| session).
| throwitaway1235 wrote:
| You brilliant guys need to find a way to extract more than $7500
| for solutions to problems that less than what, 2%?, of the worlds
| population can solve.
|
| If I were your tech agent I'd demand Facebook pay out $75,000
| minimum for this specific problem.
| sltEvas wrote:
| 2%? You have an interesting idea of the world's population.
| Just think about what that means. It means 2 out of 100 people
| can hack into Facebook's Legal Department Admin Panel.
|
| I mean if we are talking "mentally capable to achieve that
| within a decade if the person does nothing else but strive to
| that goal"... Perhaps.
|
| If we are talking "sit down right now and do it", then it's
| more like what... 10,000-100,000 people on earth? Which makes
| for more like 0.0014%?
| jiofih wrote:
| So logically you deserve to be paid 0.0014% of Facebook's
| yearly revenue, which is around $1,176,000.00! /s
| scarlac wrote:
| > I'd demand Facebook pay out $75,000 minimum
|
| Wouldn't demanding money be blackmailing?
|
| A story from one of my startups: A student reached out to us
| regarding a security vulnerability on the website, demanding
| money for it. He refused to say what it was or provide evidence
| at first, so we couldn't assess it. He said he'd disclose it to
| others if we didn't.
|
| I definitely felt blackmailed. I am not a lawyer but it felt
| illegal. Maybe someone can chime in to say if it is?
| rhexs wrote:
| Unless litigating students is something your startup is
| interested in, I'd recommend ignoring that line of thinking
| and just hiring a good pen tester for a few months.
| ericjang wrote:
| Rather than the exploiter setting an arbitrary price (which
| would be closer to blackmail), I think parent comment was
| saying that the fair market value of disclosing such a bug
| was worth closer to $75k given the unique skill set required.
|
| Skilled engineers turn to cybercrime when white-hat bounties
| are insufficiently rewarding, so it is in everyone's interest
| to pay competitive rates for finding security
| vulnerabilities.
| anonu wrote:
| $7500 seems low for this bug. If I were Facebook i would raise
| it. Why?
|
| Cost/benefit analysis tells me I could probably get a lot more
| for this bug going to some more nefarious actors.
|
| $7500 is a drop in the ocean for a company like FB who has a
| reputation to keep intact.
| zitterbewegung wrote:
| How do you know if this is happening or not?
| polishdude20 wrote:
| What is this fuzzing tool you use to get the endpoints?
| tptacek wrote:
| It's sort of implied that it's not Burp Intruder, but Burp
| Intruder would be a pretty normal way to do this.
| OminousWeapons wrote:
| Dirbuster, gobuster, or some variant is probably what was used
| here.
| trav4225 wrote:
| I've always wondered, aren't these types of bug investigations
| illegal? Aren't the investigators concerned about criminal
| prosecution? Not being snarky; I'm asking sincerely.
| KMnO4 wrote:
| Generally companies prefer if you find bugs and disclose them
| before malicious parties find and exploit them.
|
| Most websites have a "responsible disclosure" policy. If you
| can't find this linked on their main page, you can often find
| it at /security.txt or /.well-known/security.txt
|
| [0]: https://securitytxt.org/
|
| [1]: https://facebook.com/security.txt
| jcims wrote:
| In general you are on shaky legal ground.
|
| However, some companies (including Facebook) have a bug bounty
| program that provides a prescribed safe harbor that you can
| operate within to discover vulnerabilities within their
| products or infrastructure in exchange for some kind of
| recognition or award.
|
| The terms of Facebooks bounty are here:
| https://www.facebook.com/whitehat
|
| Based on a cursory glance and the fact that this individual was
| awarded in their program, it appears they operated by the book.
|
| Prosecuting activity that happens outside of these parameters
| has definitely happened in the past and will continue. It's not
| always a cut and dried decision. It can be difficult/expensive
| to effectively prosecute and you may find a lot of social
| backlash depending on the nature and impact of the activity.
| bredren wrote:
| Yes. Most competent tech companies permissibly allow
| "security research" like this.
|
| If you are genuinely trying to find exploits in good faith,
| and are acting within the parameters spelled out in their bug
| bounty program, it's all good. You also may get paid.
|
| This blog entry sort of dramatized what happened for clicks.
| I actually think it's unwise to characterize any exploit like
| this, because it adds a PR dimension consumer companies just
| don't want or need.
|
| It sort of creates a sense of adversarial relationship which
| isn't really what FB is after.
|
| But it sounds like a risky endeavor put this way and probably
| helps get retweets attention in the short term.
| jcims wrote:
| Totally agree with your perspective here. There's security
| research and there's bug prospecting. Both have streaks of
| narcissists and showboaters but the latter seems to be
| thick with them.
| markdown wrote:
| > There's security research and there's bug prospecting.
|
| If the end result of your work isn't a whitepaper or
| something similar from which others can learn, then you
| can call your work "security research".
|
| Bug bounty programs are mainly targeted at bug
| prospectors.
|
| > Both have streaks of narcissists and showboaters but
| the latter seems to be thick with them.
|
| Thank god for that. Blog posts like the one this thread
| is about are really valuable to those of us interested in
| the work of others.
| jcims wrote:
| >Thank god for that. Blog posts like the one this thread
| is about are really valuable to those of us interested in
| the work of others.
|
| I can see how what I said could be interpreted as 'folks
| that blog about their work are narcissists'. That wasn't
| my intent. The headline is a bit clickbaity but the
| explanation is a good walkthrough. This isn't the far end
| of the spectrum that I had in mind. Watching twitter or
| working for a bug bounty program is a better way to get
| exposed to that set.
| curiousgal wrote:
| Many of these guys are based in Third World countries, it's
| more complicated to go after them over petty stuff.
| Cyph0n wrote:
| This has nothing to do with it.
|
| See sibling comments for the actual reason: Facebook and
| other companies typically allow this kind of security
| research, as long as the intent is not malicious and the
| researcher operates within some boundaries.
| ikiris wrote:
| Would you rather someone find it and report it to you, or sell
| it on the dark web / exploit it?
|
| Making this kind of research illegal only makes sure the end
| result is always the latter.
| snazz wrote:
| Facebook allows people hunting for bugs to find them on
| approved subdomains following their bug bounty policy.
| detaro wrote:
| Places with a bug bounty program typically publicly state rules
| for what they think is ok for a researcher to do, specifically
| to avoid that problem. Without permission like that, yes, such
| an investigation can quickly move into legally dangerous areas,
| and not all companies have gotten the idea that if someone is
| willing to tell you about a problem you want them on your side,
| threatening or suing them just means the next time someone
| finds something you're not told. (of course that's not a free-
| for-all for researchers, if you start actually poking in
| private data or hack actual peoples accounts that's a problem)
| [deleted]
| heavyset_go wrote:
| In the US, yes. Unauthorized access and computer trespass is
| often felonious. People have gone to prison for logging into an
| email account by guessing the password[1].
|
| [1] https://www.helpnetsecurity.com/2010/11/12/palin-e-mail-
| hack...
| iso8859-1 wrote:
| First pentester I found with 12k followers on Instagram:
| https://www.instagram.com/al_shwele/ but 8 on GitHub:
| https://github.com/Alaa-abdulridha
|
| Instagram keeps surprising me...
| Traubenfuchs wrote:
| The majority of the accounts following him have 0 posts, very
| low amount of followers and follow thousands of other people.
| They are most likely bought or collected via an online bot
| tool. Further quantitative evidence: His posts have a very low
| amount of likes and comments.
| pletsch wrote:
| 61 likes off 13k followers..yeah, that's a tough sell.
| Debug_Overload wrote:
| > The majority of the accounts following him have 0 posts,
| very low amount of followers and follow thousands of other
| people.
|
| There's also the issue of "follower farmers". Basically, some
| spam accounts start following tens of thousands of people
| hoping at least some will check their profiles, maybe follow
| them back or click on their spam.
|
| I noticed this mostly on Twitter, and after some digging, it
| turns out to be a common tactic used by spammer bots (or umm,
| "marketting teams"). I don't know how common that issue is on
| Instagram though but it could be same.
| [deleted]
| Cyph0n wrote:
| Not sure about that account, but penetration testing is
| actually fairly popular in the Middle East. Cost of living is
| typically quite low, so decent researchers can make a living
| from bug bounties.
|
| Fun fact: Tunisia, a relatively small North African country,
| was awarded the second highest number of Facebook bounties this
| year[1].
|
| [1]: https://about.fb.com/news/2020/11/bug-bounty-program-10th-
| an...
| lqet wrote:
| Interesting, but missing words and strange/missing punctuation
| make this a bit hard to read.
| JadoJodo wrote:
| I suspect this is an ESL post.
| exlurker wrote:
| ESL = English as Second Language. Had to look it up.
| toyg wrote:
| It read more like an ADHD post (no offense), the author
| clearly had no time to waste on full stops.
| z3t4 wrote:
| Judging my the response letter it seems they think he only
| managed to reset a password... not _setting_ the password. Will
| be interesting to read the follow up.
| ForHackernews wrote:
| $7500? Why are these bug bounties so piddling?
|
| How much would an exploit like this be worth on the black market?
| What's the potential loss / liability on Facebook's side?
| Hundreds of thousands? Millions?
| tptacek wrote:
| There is no market for bugs like these.
| saltyshake wrote:
| not even for nation states/APTs? Are you sure about that?
| _tk_ wrote:
| I can't speak for Thomas- but generally you'd want to
| invest your money in a vuln that is rather static. Web
| applications with attack surfaces that are constantly
| changing are not a good fit for a sophisticated attack with
| potentially huge blowback.
| dennisy wrote:
| Could you please elaborate?
| tptacek wrote:
| Sorry, I didn't write clearly. What I meant was, there is
| no market for RCEs in random Facebook backoffice sites.
| VWWHFSfQ wrote:
| Where are you going to go to sell it? are you going to go
| find some tor hidden service with a forum that you can post
| your exploit on and hope that somebody will give you some
| bitcoins for it? You think that those are not under heavy
| surveillance already? The "black market" for this kind of
| thing is way overblown. And if you think you can just go
| sell it to some nation state, think again. That's an easy
| way to end up in a federal supermax.
| mszcz wrote:
| Isn't legal involved in most business moves? Getting a wind
| of those ahead of a public announcement surely must be worth
| something ;)
| detaro wrote:
| A "market" needs a bit more than "is worth something".
|
| What multiplier of the $7500 bounty would you want for the
| trouble of committing a crime? Who's the buyer (FB afaik
| doesn't buy a whole lot of publicly traded companies, so it
| probably needs to be someone who can get into the deals,
| and quickly)? How do you find them? How do you convince
| that buyer that your deal is worth the money and the hassle
| of committing a crime? How do you trust the buyer? How do
| you handle it if the hole gets closed before the buyer can
| profit? How do you value the risk it gets closed before you
| got your deal? Does all that work out in a way that you
| really don't want to take the bounty?
|
| People buying backdoor access into companies probably
| happens occasionally, but it's probably not the easy high-
| profit thing compared to bounties many people think, but
| rather on the level of selling account information by the
| dozen for a few bucks - and for something like that you'll
| burn them quickly.
| mszcz wrote:
| Didn't say it was easy to monetize. I do recall a bust,
| some time ago, of a ring that used prerelease (?)
| announcement pdfs already placed on publicly accessible
| servers (?) as a source of insider alpha.
|
| ('?' because I'm on my third whiskey and about to turn in
| :)
| detaro wrote:
| Yeah, the response is purely in context of the mentions
| of "black market" value higher up the thread. Being able
| to turn potential gain for someone into actual money for
| you is the key issue.
| tptacek wrote:
| I believe a good way to think about the market for
| vulnerabilities is this:
|
| There are markets for vulnerabilities that slot
| seamlessly into existing business processes. In other
| words, you can tend to find a buyer for a vulnerability
| that would replace another vulnerability already being
| used, that accomplishes pretty much exactly the same
| thing as that vulnerability. The more people run that
| business process, the more likely it is that there's a
| liquid market.
|
| Lots of organizations have business processes that rely
| on browser RCEs. Generally, there aren't many
| organizations that have business process that rely on
| serverside vulnerabilities in line-of-business
| applications that have instantaneous half-lives, because
| once the patch is developed they're gone.
| detaro wrote:
| Interesting. I guess a real-world analogy is theft of
| valuables. If you steal random money, that's easy to turn
| into value. There's a harder to access criminal industry
| smelting down gold, which will equally reduce jewelry and
| priceless museum artifacts to material value. And a
| unique well-known painting is pretty much impossible to
| sell if you aren't already connected to a buyer with a
| specific interest.
| tedunangst wrote:
| In other words, how much would Pepsi pay for the secret
| recipe to Coke?
| [deleted]
| xwdv wrote:
| Hedge funds that employ blackhat hackers to steal
| confidential information from a public company would buy it.
| paxys wrote:
| There is no easily accessible "black market" for a hack like
| this. As an average person what is your alternative really?
| Pick up the phone and call the government of Iran?
|
| It is far more convenient (and safer) to just take the
| guaranteed ~$10K and move on with your life.
| ForHackernews wrote:
| It doesn't have to be "easily accessible" to be valuable.
|
| Corporate espionage exists, insider trading exists (and is
| more common than you might think), there's any number of
| parties who might pay for insider info (once properly
| laundered) about Facebook activities.
|
| Why would "the government of Iran" care about what Facebook
| is up to? Isn't FB banned in Iran?
| fakedang wrote:
| You forget that intelligence and espionage goes both ways.
| Iran could use FB in some way to attack the US, just like
| Russia did, just as it could shield itself from FB.
| BLKNSLVR wrote:
| I've deleted my comment, but will replace it with this
| interesting discussion:
|
| https://news.ycombinator.com/item?id=20651210
| travmatt wrote:
| ~10k and a minor hit of publicity. If you're a security
| researcher I imagine that this is a solid boost to your
| reputation.
| rriepe wrote:
| > Pick up the phone and call the government of Iran?
|
| Would that work? Asking for a friend.
| toyg wrote:
| Even if it did, you wouldn't want to do it. Someone like
| that can dispatch goons after the deal, to make sure
| they'll be the only ones to know the hole.
| dang wrote:
| Url changed from https://alaa0x2.medium.com/how-i-hacked-
| facebook-part-one-28..., which points to this.
___________________________________________________________________
(page generated 2020-12-12 23:00 UTC)