back to article Now that's a fortune cookie! Facebook splats $5k command-injection bug in one of its servers

Facebook has patched a remote-code execution flaw discovered in one of its servers. Researcher Daniel 'Blaklis' Le Gall, of SCRT Information Security, said on Friday he bagged a $5,000 bug bounty from the social network for reporting a flaw that could be exploited to execute arbitrary commands using malicious cookies. Though …

  1. Anonymous Coward
    Anonymous Coward

    Researchers need to stop helping 'the borg' find bugs

    Instead why not put those vulnerabilities to work and purge the 'HIVE'?

    Where are Shadow-Brokers or Anonymous etc, when you need them.

    Only half kidding here, because GDPR / DP-Regulators won't save us:

    -

    "Facebook HIVE: Web browsing history is staggeringly sensitive.... It can be used to infer information on sexuality, purchasing habits, health information or political leanings.... Recognise that this data is among the most intrusive data that can be collected on individuals in the 21st century,"

    -

    https://www.theregister.co.uk/2018/08/24/irish_data_protection_commish_opens_inquiry_on_facebook_data_transparency/

    __________________________________

    Max Schrems / NOYB: "Tech companies will likely do the maths on GDPR sanctions to see which problematic features are so profitable that they can afford to keep them running - or at least eat a one-time fine as an experiment in testing the EU"

    -

    https://www.rte.ie/news/business/technology/2018/0816/985601-google-location-gdpr/

  2. Keef

    'Say what you will about Facebook'

    Since you asked, I will.

    Let's not use it.

    Cheers,

    Keef.

    1. Anonymous Coward
      Anonymous Coward

      'Let's not use it' - The-Borg: Resistance is Futile

      You don't have a choice! What do you think the Facebook HIVE is all about? This is the biggest misperception about Facebook and Google too. If everything is logged across the net then there is no escape'! How can you stop it? Even if you and everyone uses Ad-Blockers, there's still server-side data-sharing / tracking.

      1. Benchops

        Re: 'Let's not use it' - The-Borg: Resistance is Futile

        Even if you do manage to make a choice not to use it, they just infer everything about you by the "you-shaped-hole" that all your friends' facebook apps are pointing at.

  3. Aitor 1 Silver badge

    Ahem

    No whitespaces after the hash? PEP8 violation!

    https://www.python.org/dev/peps/pep-0008/#inline-comments

  4. ilovecookiez

    Only $5k?

    The guy found out an exploit with potential for arbitrary remote code execution. He could have caused serious damage to the Zucc's servers.

    The message I'm getting is that if a hacker finds an exploit on facebook they're better off selling it on the black market than reporting it.

  5. This post has been deleted by its author

  6. Anonymous Coward
    Anonymous Coward

    $5K Suckers Game

    ......"The message I'm getting is that if a hacker finds an exploit on facebook they're better off selling it on the black market than reporting it."......

    Agree, its laughable right now.... GDPR has been immediately useful for shining a light on hidden privacy abuses (Facebook HIVE etc). But it still requires enforcement action. That's more likely to come from private lawyers and sueballs fired from Schrems etc. But this all takes time as the wheels of law turn slowly. Privacy abuses and penalties are on a par with Church abuse or only compensating victims decades after the fact.

    So that definitely isn't enough to persuade criminal tech organizations that behave like mafia 'cults'. Look at the Facebook 'ugly truth' memo etc. So doing the right thing voluntarily? No chance! There's just too much money in it. On the other hand If White-Hat hackers use new bugs to expose more wrongdoing instead, the revelations may become just too much to ignore.

    Overall, we need to bombard executives at Facebook / Google on a daily basis, so there's no turning away. No more apologies! Privacy is a human rights issue now. We need the families of big tech to suffer and feel the heat. They're the ones who can really apply the pressure. Otherwise the trillion dollar rewards are just too much of an anti-incentive to fix anything!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019