Feeds

back to article Facebook fix a bounty boon for researcher

A Facebook bug that would allow attackers to take over user accounts with minimal effort has netted $US20,000 for a UK-based security researcher. As detailed on his blog, Jack Whitten, writing as fin1te, found that accounts could be traversed by exploiting a bug in how Facebook linked user accounts to mobile phones. The …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

This bug represents a cultural problem at FB

Hack first and not consider the long game is FB.

Rushing code into production and wait to see what happens isn't a smart way to run a company.

0
1
Go

hmmmm sounds like it's worth spending an hour or two 'exploring' the more esoteric and obscure FB functions.

2
0
Facepalm

RE: This bug represents a cultural problem at FB

Unfortunately people can't possibly comprehend every possible path an application can take especially when that application has as many different parts as facebook. I'm sure they try their very best but its easy to overlook something once in a while.

At least they are doing something positive by paying bounties to security researchers who find bugs, instead of prosecuting them..

The best possible way to try and fix vulnerabilities like these is to get a bunch of people to try and find them from the outside in and tell them, looks like its working.

1
1
Bronze badge
Childcatcher

Re: This bug represents a cultural problem at FB

The best possible way to try and fix vulnerabilities like these is to get a bunch of people to try and find them from the outside in and tell them, looks like its working.

While I agree that there is something good to be said for FB's recent efforts, giving some thought to security in the initial design would help a lot more than having to retrofit. As far as the "best possible way," there isn't one. It is better to layer pretty much any security approach. Use of both internal and external sources of testing, review and enforcement of policies... the list goes on, and is somewhat tedious.

As far as whether it works, the proof of the pudding would be release of metrics indicating the number of complaints has been reduced. I did a quick internet search for reporting on the same, but did not want to open any links as the top returns were pretty much all about how to implement exploits on FB.

0
0

Re: RE: This bug represents a cultural problem at FB

This is security 101. You don't send user modifiable parameters. You don't send parameters in clear text. Absolutely stupid.

There should be no reason to "test" this scenario: the scenario should not exist. FacePlant "technology" sucks; you entrust your stuff to FacePlant, prepare to have your information harvested.

0
0
This topic is closed for new posts.