[HN Gopher] Instagram's Million Dollar Bug (2015)
___________________________________________________________________
Instagram's Million Dollar Bug (2015)
Author : tslocum
Score : 48 points
Date : 2020-12-14 20:07 UTC (2 hours ago)
(HTM) web link (web.archive.org)
(TXT) w3m dump (web.archive.org)
| paxys wrote:
| This was discussed at length when it was first submitted here 5
| years ago. The researcher found a (known) exploit, claimed $2500,
| then a month later used internal details he gathered (and saved)
| from the first exploit to breach the system further to demand a
| bigger payout.
| spoonjim wrote:
| They didn't change the credentials that had been hacked? God I
| wish the hacker had sold the vuln to North Korea.
| paulpauper wrote:
| Real life is not like the movies, in which a floppy disk of
| info is exchanged for a suitcase of money in a dark alley or
| in a boardroom. Blackhats typically find that there is little
| market for their info, especially before the advent of
| bitcoin being popular. yeah, you cracked a bunch of selfie
| pics. What can you do with it. not much.
| chrissnell wrote:
| He had signing keys for the Instagram app and the
| *.instagram.com keypair. Do you think that's not valuable
| and dangerous?
| WalterGR wrote:
| _yeah, you cracked a bunch of selfie pics. What can you do
| with it._
|
| FTA: "specifically I gained access to a lot of data
| including SSL certs, source code, photos, etc"
|
| _Blackhats typically find that there is little market for
| their info, especially before the advent of bitcoin being
| popular._
|
| And now?
| paulpauper wrote:
| There is no real bug besides the ruby RCE thing. Cracking weak
| passwords is not eligible. Sorry. I can see why Facebook denied
| him a remittance but their approach of contacting his employer
| was wrong.
| typenil wrote:
| Ah nice. Facebook resorts to intimidating bug bounty participants
| acting in good faith by threatening them through their employer
| instead of talking.
|
| Can't say I'm surprised, given the level of ethics Facebook
| exhibits at every conceivable level.
| LukasReschke wrote:
| Disclaimer: I was a Security Engineer on the FB Security Team
| until last month and was also involved in the Bug Bounty
| Program :-)
|
| That's not how Facebook treats Bug Bounty Participants. By far,
| it's one of the better programs in terms of payouts, fairness,
| and triage time on critical issues.
|
| Just a recent example: a bug bounty hunter reported unexpired
| CDN links. After internal research, FB figured out to chain
| this into a Remote Code Execution and paid out 80k USD to the
| researcher.
| (https://www.facebook.com/BugBounty/posts/approaching-
| the-10t...)
|
| That said, I wasn't there in 2015, so I only know the story
| from some stories. (which portray the story a tad different) -
| Even if it were true, I haven't seen such treatment in the last
| three years at FB.
| Zee2 wrote:
| God, this is frustrating. They essentially cracked Instagram's
| entire production environment open, and took explicit steps at
| every turn to stay within the published guidelines, and then they
| just take his report with zero compensation whatsoever. Insane.
| paulpauper wrote:
| but he didn't/ He only gained access because the admins used
| weak passwords .
| hh3k0 wrote:
| I wouldn't really blame the guy if he decides to sell the next
| one on the darknet.
| FriendlyNormie wrote:
| Imagine being that close to completely destroying one of the
| most evil companies on earth with a single keystroke and
| instead of doing that you fall to your knees and suck them off
| hoping for a pat on the head. Hell is real and I guarantee this
| guy is going there when he dies.
| paulpauper wrote:
| The problem with bug bounties is they are one-sided, against the
| researcher. The conditions of bounties typically stipulate that
| any attempt at negotiation can be interpreted as extortion, so it
| is either take it or leave it.
| LukasReschke wrote:
| How else would you phrase someone telling you "I have this bug
| and will exploit it if you don't pay me X amount" vs. "I think
| the impact is bigger because of Y"? For me, the first sounds
| quite clearly like extortion.
|
| The first case would get you likely in trouble. The second case
| would routinely cause a further review in any decent program,
| and if there's any merit to it, you get a higher bounty.
|
| Nobody is forced to participate in any bug bounty program. If
| people feel the reward is too low, they should not partake.
| julianmcolina wrote:
| Million dollar bug actually sounds like a small amount given the
| context!
| blakesterz wrote:
| I tried a little searching but I can't find anything that says
| how this all ended. Alex Stamos denied saying anything bad. But
| then what? It looks like it was all just dropped pretty much as
| is?
| vittore wrote:
| Are there any means inside IG/FB to let engineers (or employees
| in general) hold company/managers accountable in cases like this?
| thaumasiotes wrote:
| This speaks to a couple of issues that bothered me while working
| in bug bounty triage.
|
| > Alex informed my employer (as far as I am aware) that I had
| found a vulnerability, and had used it to access sensitive data.
| He then explained that _the vulnerability I found was trivial and
| of little value_ , and at the same time said that my reporting
| and handling of the vulnerability submission had caused huge
| concern at Facebook.
|
| [my emphasis]
|
| There is this conceptual separation between the severity of the
| issue and the impact. Simplifying things much further than the
| situation described in the piece, you could have an admin account
| with the password "password". This is a stupid issue. The fix is
| to change the admin password. How much of a bounty should be paid
| for this report?
|
| One school of thought is that the value of the report is related
| to what you can accomplish by exploiting it. This is clearly the
| right approach if you're assessing the issue's value _to an
| attacker_. It has some problems in the bug bounty context -- a
| major one is that it feels subjectively unfair to the company!
| They don 't want to pay 100x more for the same vulnerability just
| because, this time, it happened to have more sensitive stuff
| behind it.
|
| Another is that, as here, you often see a chain of
| vulnerabilities, all of which are of very little consequence in
| isolation, but they happen to combine into something much greater
| than the sum of the parts. (I recall a published writeup, which I
| can no longer find, in which one important step was a logout
| CSRF. Nobody cares about those.) The policy of "stop
| investigating as soon as you find anything" rules out this kind
| of "whole is greater than the sum of the parts" finding by
| definition.
|
| > Playing By The Rules
|
| > Microsoft (in my opinion), has done the best job of explaining
| exactly how far they would like a researcher to take a
| vulnerability. Google and Yahoo imply that you should report a
| vulnerability immediately, but do not clarify how far you should
| go in determinining impact. Tumblr, on the other hand, puts in
| writing the policy of just about every bounty program. The better
| your PoC shows impact, the more you are likely to get paid.
| Further, the better a researcher can understand and describe
| impact, the more likely they are to receive a greater reward.
|
| This bothers me from a fairness perspective. I have personally
| seen essentially the same report on different pages of a webapp
| get paid out differently because the researchers provided
| different _speculation_ about what might be possible using their
| exploit. The guy who got paid less was careful about following
| the rules, asking for guidance about exactly what and how he
| could investigate, and then he only claimed what he was able to
| demonstrate. The guy who got paid more had a more generic claim
| that "this demonstrates SQLi, and writing to the database might
| be possible". I could not establish whether writing to the
| database _was in fact possible_ for the same reason the first guy
| (and the second guy) didn 't try -- it might have been
| unacceptably disruptive to the company. So I passed the
| speculation through, and the payout ended up being higher.
|
| The lesson here is, "claim the moon and the stars." But I feel
| that means the ecosystem is unhealthy; that's not what I think
| the lesson _should be_.
|
| Companies always say they will investigate the full impact of a
| vulnerability when you follow the protocol they urge of "as soon
| as you find something, report it and don't try to escalate". But
| this is nearly impossible to do even if you're trying in good
| faith.
|
| ---
|
| Sometimes you're not trying in good faith. I have also seen what
| is exactly the same issue paid out differently depending on the
| category the researcher files it under. Many programs publish
| payout schedules by category. In this case, the schedule
| contained a mix of technical category types ("XSS") and
| functional category types ("account takeover"). One researcher
| found a way to present an issue in a low-paying technical
| category as a high-paying functional category. I repeatedly noted
| in my reports to the company that this researcher was getting
| paid quite a lot more for the same vulnerability than other
| researchers who didn't know about the loophole. This state of
| affairs never changed; I assume the main concern was maintaining
| the relationship with the loophole guy. But obviously, this sort
| of thing directly falsifies the claim that "we will investigate
| the full impact of the issue you report and pay out
| appropriately."
| LukasReschke wrote:
| > Companies always say they will investigate the full impact of
| a vulnerability when you follow the protocol they urge of "as
| soon as you find something, report it and don't try to
| escalate". But this is nearly impossible to do even if you're
| trying in good faith.
|
| Disclaimer: I was a Security Engineer on the FB Security Team
| until last month and regularly attended the payout meetings :-)
|
| I've seen plenty of bug bounty programs making such claims, but
| the Facebook program keeps up to this promise the most. Every
| bug is root caused to the line that caused the issue and
| assessed on maximal potential impact.
|
| Sometimes that leads to cases where low impact vulnerabilities
| got paid out tens of thousands of dollars. The big bounty often
| came as a big surprise to the reporter :-)
|
| Just a recent example: a bug bounty hunter reported unexpired
| CDN links. After internal research, FB figured out to chain
| this into a Remote Code Execution and paid out 80k USD
| (https://www.facebook.com/BugBounty/posts/approaching-
| the-10t...)
|
| Facebook has big pockets. As a bug bounty hunter, I'd not worry
| about being screwed by them. It's by far one of the best paying
| bounty programs.
|
| There are many reasons to criticize Facebook or Instagram. But
| the handling of its application security should not be in the
| top 10 :-)
| [deleted]
| TravisLS wrote:
| Previous discussion (5 years ago):
| https://news.ycombinator.com/item?id=10754194
| umvi wrote:
| Any closure on this? Did FB ever make amends? Surely there are
| some FB security employees on HN.
___________________________________________________________________
(page generated 2020-12-14 23:00 UTC)