[HN Gopher] Instagram's Million Dollar Bug (2015) ___________________________________________________________________ Instagram's Million Dollar Bug (2015) Author : tslocum Score : 48 points Date : 2020-12-14 20:07 UTC (2 hours ago) (HTM) web link (web.archive.org) (TXT) w3m dump (web.archive.org) | paxys wrote: | This was discussed at length when it was first submitted here 5 | years ago. The researcher found a (known) exploit, claimed $2500, | then a month later used internal details he gathered (and saved) | from the first exploit to breach the system further to demand a | bigger payout. | spoonjim wrote: | They didn't change the credentials that had been hacked? God I | wish the hacker had sold the vuln to North Korea. | paulpauper wrote: | Real life is not like the movies, in which a floppy disk of | info is exchanged for a suitcase of money in a dark alley or | in a boardroom. Blackhats typically find that there is little | market for their info, especially before the advent of | bitcoin being popular. yeah, you cracked a bunch of selfie | pics. What can you do with it. not much. | chrissnell wrote: | He had signing keys for the Instagram app and the | *.instagram.com keypair. Do you think that's not valuable | and dangerous? | WalterGR wrote: | _yeah, you cracked a bunch of selfie pics. What can you do | with it._ | | FTA: "specifically I gained access to a lot of data | including SSL certs, source code, photos, etc" | | _Blackhats typically find that there is little market for | their info, especially before the advent of bitcoin being | popular._ | | And now? | paulpauper wrote: | There is no real bug besides the ruby RCE thing. Cracking weak | passwords is not eligible. Sorry. I can see why Facebook denied | him a remittance but their approach of contacting his employer | was wrong. | typenil wrote: | Ah nice. Facebook resorts to intimidating bug bounty participants | acting in good faith by threatening them through their employer | instead of talking. | | Can't say I'm surprised, given the level of ethics Facebook | exhibits at every conceivable level. | LukasReschke wrote: | Disclaimer: I was a Security Engineer on the FB Security Team | until last month and was also involved in the Bug Bounty | Program :-) | | That's not how Facebook treats Bug Bounty Participants. By far, | it's one of the better programs in terms of payouts, fairness, | and triage time on critical issues. | | Just a recent example: a bug bounty hunter reported unexpired | CDN links. After internal research, FB figured out to chain | this into a Remote Code Execution and paid out 80k USD to the | researcher. | (https://www.facebook.com/BugBounty/posts/approaching- | the-10t...) | | That said, I wasn't there in 2015, so I only know the story | from some stories. (which portray the story a tad different) - | Even if it were true, I haven't seen such treatment in the last | three years at FB. | Zee2 wrote: | God, this is frustrating. They essentially cracked Instagram's | entire production environment open, and took explicit steps at | every turn to stay within the published guidelines, and then they | just take his report with zero compensation whatsoever. Insane. | paulpauper wrote: | but he didn't/ He only gained access because the admins used | weak passwords . | hh3k0 wrote: | I wouldn't really blame the guy if he decides to sell the next | one on the darknet. | FriendlyNormie wrote: | Imagine being that close to completely destroying one of the | most evil companies on earth with a single keystroke and | instead of doing that you fall to your knees and suck them off | hoping for a pat on the head. Hell is real and I guarantee this | guy is going there when he dies. | paulpauper wrote: | The problem with bug bounties is they are one-sided, against the | researcher. The conditions of bounties typically stipulate that | any attempt at negotiation can be interpreted as extortion, so it | is either take it or leave it. | LukasReschke wrote: | How else would you phrase someone telling you "I have this bug | and will exploit it if you don't pay me X amount" vs. "I think | the impact is bigger because of Y"? For me, the first sounds | quite clearly like extortion. | | The first case would get you likely in trouble. The second case | would routinely cause a further review in any decent program, | and if there's any merit to it, you get a higher bounty. | | Nobody is forced to participate in any bug bounty program. If | people feel the reward is too low, they should not partake. | julianmcolina wrote: | Million dollar bug actually sounds like a small amount given the | context! | blakesterz wrote: | I tried a little searching but I can't find anything that says | how this all ended. Alex Stamos denied saying anything bad. But | then what? It looks like it was all just dropped pretty much as | is? | vittore wrote: | Are there any means inside IG/FB to let engineers (or employees | in general) hold company/managers accountable in cases like this? | thaumasiotes wrote: | This speaks to a couple of issues that bothered me while working | in bug bounty triage. | | > Alex informed my employer (as far as I am aware) that I had | found a vulnerability, and had used it to access sensitive data. | He then explained that _the vulnerability I found was trivial and | of little value_ , and at the same time said that my reporting | and handling of the vulnerability submission had caused huge | concern at Facebook. | | [my emphasis] | | There is this conceptual separation between the severity of the | issue and the impact. Simplifying things much further than the | situation described in the piece, you could have an admin account | with the password "password". This is a stupid issue. The fix is | to change the admin password. How much of a bounty should be paid | for this report? | | One school of thought is that the value of the report is related | to what you can accomplish by exploiting it. This is clearly the | right approach if you're assessing the issue's value _to an | attacker_. It has some problems in the bug bounty context -- a | major one is that it feels subjectively unfair to the company! | They don 't want to pay 100x more for the same vulnerability just | because, this time, it happened to have more sensitive stuff | behind it. | | Another is that, as here, you often see a chain of | vulnerabilities, all of which are of very little consequence in | isolation, but they happen to combine into something much greater | than the sum of the parts. (I recall a published writeup, which I | can no longer find, in which one important step was a logout | CSRF. Nobody cares about those.) The policy of "stop | investigating as soon as you find anything" rules out this kind | of "whole is greater than the sum of the parts" finding by | definition. | | > Playing By The Rules | | > Microsoft (in my opinion), has done the best job of explaining | exactly how far they would like a researcher to take a | vulnerability. Google and Yahoo imply that you should report a | vulnerability immediately, but do not clarify how far you should | go in determinining impact. Tumblr, on the other hand, puts in | writing the policy of just about every bounty program. The better | your PoC shows impact, the more you are likely to get paid. | Further, the better a researcher can understand and describe | impact, the more likely they are to receive a greater reward. | | This bothers me from a fairness perspective. I have personally | seen essentially the same report on different pages of a webapp | get paid out differently because the researchers provided | different _speculation_ about what might be possible using their | exploit. The guy who got paid less was careful about following | the rules, asking for guidance about exactly what and how he | could investigate, and then he only claimed what he was able to | demonstrate. The guy who got paid more had a more generic claim | that "this demonstrates SQLi, and writing to the database might | be possible". I could not establish whether writing to the | database _was in fact possible_ for the same reason the first guy | (and the second guy) didn 't try -- it might have been | unacceptably disruptive to the company. So I passed the | speculation through, and the payout ended up being higher. | | The lesson here is, "claim the moon and the stars." But I feel | that means the ecosystem is unhealthy; that's not what I think | the lesson _should be_. | | Companies always say they will investigate the full impact of a | vulnerability when you follow the protocol they urge of "as soon | as you find something, report it and don't try to escalate". But | this is nearly impossible to do even if you're trying in good | faith. | | --- | | Sometimes you're not trying in good faith. I have also seen what | is exactly the same issue paid out differently depending on the | category the researcher files it under. Many programs publish | payout schedules by category. In this case, the schedule | contained a mix of technical category types ("XSS") and | functional category types ("account takeover"). One researcher | found a way to present an issue in a low-paying technical | category as a high-paying functional category. I repeatedly noted | in my reports to the company that this researcher was getting | paid quite a lot more for the same vulnerability than other | researchers who didn't know about the loophole. This state of | affairs never changed; I assume the main concern was maintaining | the relationship with the loophole guy. But obviously, this sort | of thing directly falsifies the claim that "we will investigate | the full impact of the issue you report and pay out | appropriately." | LukasReschke wrote: | > Companies always say they will investigate the full impact of | a vulnerability when you follow the protocol they urge of "as | soon as you find something, report it and don't try to | escalate". But this is nearly impossible to do even if you're | trying in good faith. | | Disclaimer: I was a Security Engineer on the FB Security Team | until last month and regularly attended the payout meetings :-) | | I've seen plenty of bug bounty programs making such claims, but | the Facebook program keeps up to this promise the most. Every | bug is root caused to the line that caused the issue and | assessed on maximal potential impact. | | Sometimes that leads to cases where low impact vulnerabilities | got paid out tens of thousands of dollars. The big bounty often | came as a big surprise to the reporter :-) | | Just a recent example: a bug bounty hunter reported unexpired | CDN links. After internal research, FB figured out to chain | this into a Remote Code Execution and paid out 80k USD | (https://www.facebook.com/BugBounty/posts/approaching- | the-10t...) | | Facebook has big pockets. As a bug bounty hunter, I'd not worry | about being screwed by them. It's by far one of the best paying | bounty programs. | | There are many reasons to criticize Facebook or Instagram. But | the handling of its application security should not be in the | top 10 :-) | [deleted] | TravisLS wrote: | Previous discussion (5 years ago): | https://news.ycombinator.com/item?id=10754194 | umvi wrote: | Any closure on this? Did FB ever make amends? Surely there are | some FB security employees on HN. ___________________________________________________________________ (page generated 2020-12-14 23:00 UTC)