Researcher claims Facebook tried to gag him over critical flaw

So he's damned if he did and the users are damned if he didn't?

I'm with the "him doing". Security should run deep in company's network and servers. If he can find it, then so can the bad guys. He told them what he found and where. I hope they fixed not just the front door but what he found in the basement also.

Also...

He was tipped off via IRC... so....

who got there first?

As it took a couple of months for this to get 'fixed', somebody else has (potentially) got the keys. Have they re-created the private keys? Would they have done if he hadn't got his hands on them, or would they just have patched Ruby?

Whoa

Now this was a rollercoaster of a story! Gotta say though, I think facebook were in the right. Purely because it seems like this guy was constantly just BEGGING for a loophole or opening. I don't blame him mind, the idea of showing up facebook and the like is a wet dream many of us...dream of (shut up, prose is not my thing).

I truly believe there was mischief at heart in this...not malice though. But then again it isn't a stretch to think he thought he was doing a public service, showing the absolute abysmal security measures the people in charge with 105% of the population's social media (er...maths too) take.

why the hell not

Surely finding that not only was the front door unlocked but the keys to large and expensive car were in a bowl by the door, why wouldn't he warn them that an attacker can get really deep into their network and do serious damage.

They should be happy he told them so they could make such a thing a priority rather than shout and scream he went too far.

Besides, if they behave so heavy handed and go over the heads of researchers to their bosses then how do thru think the community will handle it? They may end up reaping what they sow.

Though I understand how touchy people get when flaws are found... They don't always take it the right way.

Congratulations

Now all the less ethical hackers know that lots of goodies lie behind the poorly locked door because of rather pathetic practices (seriously, no numbers or symbols in the passwords?).

While both sides have a valid argument to support their actions, the thing that should not be forgotten is that the researcher was looking to discover, not looking to pwn. As has been pointed out above, the guy was tipped on IRC, which could easily indicate that somebody else has been there, could have done all of this, and given the payout of the bounty, they don't appear to even know.

Typical story line - tell them that they have a problem and all of a sudden, you have a problem. This is why I never report security issues.

If I was Facebook I'd have quietly given him a pile of money along with an agreement that he'd never say anything about what he did. It sounds like he went right up to the edge of what is ethical but at the same time he's (hopefully) cleared up a wide range of security issues. I wonder if this is a case of the guys are Facebook feeling ashamed that their systems were so easy to break into. Shame can be a strong motivator to do things that you otherwise would consider wrong. I'd have hope though they would have the maturity to say "better him that someone else".

These bounty amounts are pathetically low. the vulnerable code would have cost in the 10s of thousands to write. If not 100 of thousands.

Facebook. Does Facebook even facebook.

If some looks at my house and notices my window open, I'd like to be told, but I would have serious issues if they poked around my house claiming they were looking for more open windows, while looking through my cupboards.

Sometimes you wonder

whether those paying bug bounties in fact only want to see the most obvious flaws discovered (the amount paid seems to indicate that).

Admittedly, it's a thin line, but the guy here discovered an already rumoured flaw (IRC tip-off), and by digging a bit deeper, he also revealed the severity and impact while finding other poor practices (passwords) along the way.

Has he possibly crossed a line? Maybe. But then again he didn't take the keys and went on to sell them. Instead it was immediately clear what Facebook needed to do: Fix the flaw, change all passwords, replace the keys he was able to access.

Rather than pestering him, they should have paid a substantial amount to encourage others to do the work for them. If you make their life miserable and pay them with petty cash, you only discourage the most talented white hat hackers to look at your systems, because they can earn more money elsewhere without being hassled.

The black hat hackers on the other hand will be more encouraged, because they can assume that fewer bugs have been discovered, which means potentially bigger loot for them. And that group of hackers will not tell you what they found. Pastebin will.

FB CSO Alex Stamos is obviously an idiot and should be fired from FB on a short notice. Does FB's policy require security experts to submit "evidence of flaws that allow deep penetration of the firm's servers"? Obviously it does. Did the guy do it? Of course, because he was promised by corporate marketing BS to be paid for it. Did he cause ANY problems with it (meaning downtime, data leak or ANYTHING that would've compromised FB in any way)? NO. Did some data stolen from FB start appearing on pastebin or whatnot? Obviously not (otherwise FB would be in deep sheet by now).

Really, Stamos, you're an idiot. Why don't you just go ahead and work as a garbage collector instead? Hopefully that's a position where you won't mess anything up and don't get an opportunity to threaten anyone either. Oh and while I'm at it: you're a sneaky, sleazy bastard too. Didn't threaten with legal action or ask Wineberg to be sacked? Of course you did, only between the lines, not directly.

It's quite interesting to see a company like FB turn from a startup full of hopes into a corporation full of bastards and empty slogans/meaningless guarantees/promises in real time. History's repeating itself over and over again (yes, Micro$oft, Apple et al. I'm looking at you!).....

Oh and threatening security researchers with lawsuits to shut them up about your pathetic security holes just creates ticking time bombs: you'll just never know when will it go off and will your confidential corporate data suddenly start appearing out in the open. Just ask the scumbags at Sony about it. I'm sure they'll confirm how "wise" did they act about security (I bet their shareholders were REALLY happy about the turn of events too). Sigh, when will the corporate dumba$$es sitting in top positions learn (most probably never, because that's what landed them in those positions in the first place)......

Why the "house" and "underwear drawer" analogies?

Do some of the posters above live in server rooms or something? The comparison to breaking into somebody's home is at best inaccurate and at worst deliberately overly-dramatic.

This is akin to breaking into a place of business using a credit card to bypass the Yale lock then finding the safe keys in an unlocked drawer, opening the safe, photographing the contents then sending the photographs to the company who own the premises.

Please do not be so misleading as to suggest that this is in any way akin to the heinous crime of housebreaking.

A little bit pregnant

So, their preferred pen testing is to be only a little bit pregnant?

Got it.

Stamos should have called Synack and the researcher, told them "Ok, thank you for the findings, here's the bounty, but please, avoid such behavior in the future because etc. etc., unless explicitly asked to perform a pen test. Here's also an NDA to sign, and we need to be sure you deleted any data you can have copied. If any isn't deleted and we will become aware of it, a legal action will follow."

John the Ripper

"John the Ripper, an open source password cracker capable of about 250 guesses a second"

Is it that slow? Wow, even with bcrypt I would expect the cracking software to do thousands of guesses per second, and hundreds of millions if MD5 is used.

When a neigbour stops by late at night to tell you your garage door is open

You ask him in for a beer, then close the door.

You don't set the dog on him.

Hackers don't care

Hackers don't care if they should not go further, so why should pen testers.If a pen tester gains higher level privileges and they do not mess with or alter anything and report what they have done and how they did it then they should be rewarded. Just because the flaw was not software or code based does not remove the fact that it was a flaw, and a massive flaw at that.

I for one am glad that he found this flaw and informed facebook. How many other people found the "keys to the Kingdom" as I've heard this hack call in other articles.

It seems like a very lax approach to security to allow staff to have weak passwords set for any account or service on their domain. Have these staff members been fired, or at least reprimanded ?

A hacker is not going to sit there and be like "O look i cracked these weak passwords, but I better not go any further"

Black Hats also pay Bounty

I think that Facebook's Alex Stamos fails to grasp the magnitude of the bad precedent he is setting. One of the reasons for offering a bug bounty is to provide incentive for the successful security researcher to "sell" his/her discoveries to the owner/author of the broken software. Entities (like Facebook) that prefer to shoot the messenger in an effort to conceal bugs from the public and to defray or ignore bounty payments are, in effect, motivating researchers to sell their discoveries to black hat entities instead. No ethical researcher would do this...but the temptation is still there.

Wow... cos the bad guys would stop before they find this stuff

Seriously cannot believe that they're hitting on a white hat for finding a flaw in their system.

Would love to see the amount of butthurt that they'd be crying about if a black hat had got in and started pulling Instagram account details and code.

IMHO Alex Stamos needs to grow a pair, man up and admit that they screwed up - BADLY - with their security, then they need to fix it, then they need to pay the guy that found the crap security they implemented on the S3 buckets.

Timing is important

If Weinberg is to believed, the Reg's summary of the timeline is incorrect and very misleading. Weinberg claims that he carried out all his research, pivoting and access escalation at or before October 28. He received the request from Facebook to desist only much later (Nov. 6, and only long after he requested a clarification of Facebook's policies.)

Weinberg only *reported* the issue with the AWS keys after the November 6th warning (On Dec. 1). So if he is to be believed (and we can only assume that Facebook's access logs bear his account out) what Facebook got upset about is being told about their security disaster---not any action that Weinberg took in good faith doing his research. That's obviously why Weinberg's lawyer is telling him he's not in trouble.

Facebook needs to learn how to accept hearing the bad news. Especially if they're going to screw up with their security and put their end-user's privacy at risk to this extent. Weinberg may be a jerk for trying to publicly embarrass them over it, but I can understand where he is coming from.

And I think, really the Reg owes Weinberg an apology. The summary in this article is totally off-base.

How about be glad the guy took the time to dig around, seeing how far he could go! Would your rather a guy with legit credentials, a REAL researcher, comb through and report what he finds or joe shmoe, black market hacker, from _____ [insert location] find it, exploit it, and darn near make it available for the whole world??? I wish sometimes these guys would just take the L, shut up, lock down the holes, eat a cookie, and move the hell on!! sigh..