I'd be willing to bet a five figure sum that this plan would work either not at all, or for less than a week.
The vulnerability itself is interesting, and more prone to monetization utility than the standard fare of bug bounty reports that get posted here, so I'll give you that.
However, Facebook has one of the most sophisticated anti-scraping/crawling systems I have ever seen in production. Automating this with any non-trivial scale would immediately alert several teams, especially in security, risk, QA and analytics.
This is assuming that you could realistically automate the act of inviting and uninviting non-friends without any penalization. In fact, what would probably happen is a rate-limit trigger that would temporarily knock out access from your IP address. There are also account-level rate limits, not just IP-level.
Realistically, I'd use this for targeting a specific person in order to get their private contact information. I suppose that could actually be worth something, like if someone wanted a well known VC's private email address. But it's an odd length to go to nowadays when most professional emails are pretty guessable.
> Facebook has one of the most sophisticated anti-scraping/crawling systems
Not only that, Facebook has a such a sophisticated security design that prevents leaking of private information in the first place. Oh, wait... /Irony.
I don't understand why FB can be so sloppy in one aspect of security and yet you claim that they are brilliant in another aspect of security. It's possible. It's possible that some guy never washes his hands, his hands are completely filthy, but his clothes are always impeccably clean. That's possible too. Just unlikely.
You started with two mistaken premises, which makes your analogy a poor comparison:
1. Facebook doesn't have "sloppy" security. The company and its software are massive and have many, many participants involved in the product and software development loop. You have unrealistic expectations for a company of that size with a consumer-facing product. Facebook continually recruits the best available talent in the security industry and empowers them to do their jobs without shooting themselves in the feet or getting kneecapped by cavalier product design. They also produce some of the best security research and implement best practices wherever they can.
I want you to look through any of Facebook's main or subsidiary applications and tell me how quickly you can identify CSRF, XSS, SQL injection, or a logical ACL failure like the one presented in this report. What you are not seeing is the utter deluge of bug bounty reports Facebook receives as a company and the nearly impeccable track record it has. The company receives over 80,000 reports each year, and fewer than 10% are valid security vulnerabilities. A tiny portion of those could be classified as "high" or "critical" severity.
You are also not seeing the meticulous, continually running machine that is the overall Facebook security organization. Not only are bug bounty participants aggressively recruited at Facebook, they are frequently put in charge of maintaining one of the most successful and recognizable bug bounty programs in the industry. Have a read through Ryan McGeehan's writings and presentations for a bit of insight into how much investment Facebook has put into incident response and security tooling in the past decade.
2. On a more technical level: rate-limiting is vastly simpler than overall security vulnerability resolution. It is comparatively straightforward to implement a rate limiting system with enough sophistication to combat a sizeable botnet attempting to crawl through a web application or automate user actions. Facebook does this using a variety of heuristics and even machine learning, with collaboration between the security (incident response), risk and data analysis teams doing the heavy lifting. While the work itself might not be easy, the deliberables and outcomes for such a system are very clear. In contrast, application security is a hard problem which primarily results from a software implementation that doesn't match the design spec (logical errors) or a design spec which fails to correctly incorporate a risk assessment. It is not straightforward to eliminate every vulnerability, because you can't just write a script that proves immunity from the OWASP Top Ten and be done with it.
It shouldn't be surprising. The whole point of Facebook is sharing information. Not much point to a social network if your friends can't see a thing you post. Permeable membrane is permeable.
>This is assuming that you could realistically automate the act of inviting and uninviting non-friends without any penalization. In fact, what would probably happen is a rate-limit trigger that would temporarily knock out access from your IP address. There are also account-level rate limits, not just IP-level.
I think you are underestimating the capabilities of botnets and what you can buy from them with a handful of dollars.
No, I fully understand that, which is why I said "probably." However, it would be a sophisticated botnet to challenge Facebook's rate limiter, and moreover, it would still have the problem of producing an excessive amount of noise when Facebook saw an influx of users and IP addresses continually inviting and uninviting other users.
From personal experience I can actually say scraping Facebook, although not trivial, is also not as difficult as you would likely expect, and their rate-limiting is pretty lenient.
IP's/Accounts are very easily to come by these days.
Is this sarcasm? Is this not one of the main strategies in lead generation?
Linking email addresses to facebook accounts to groups they're involved in and developing target markets for certain users and selling those lists (ex. gamers) to less-than-reputable and maybe even reputable marketing companies seems like it could be profitable... Maybe I'm naive?
You could send emails to FB users directly to their facebook email (don't know whether this exists anymore). In 99% these emails were relayed directly to the users mailbox (probably with the added benefit of coming from the facebook.com domain).
Many reported this, but it was not eligible for bug bounty, it was a feature according to FB, even though it circumvented their pay 1$ to deliver your message to someone you are not friend with.
Emails sent to a user's Facebook email address goes to their messages (FB Messenger) mailbox, but they may receive a notification via their personal email.
I've already seen that in Facebook ads, with people selling niche and probably auto generated products to me (my favorite was a shirt that says "I still miss Darius Milhaud"
From my reading of the article it seems like you had to be admin of the group in question because the exploit seems to take advantage of a bug with inviting users to that group. I don't think the vector you describe would work.
OK, there are 2 groups here: Group A, which you're using as a list of users that are interested in a subject. Group B is used to perform the bug, and doesn't have to be an active group at all---You could have just created it for the purpose of performing the exploit.
Ahh my mistake. I didn't realise that you could just retrieve a full list of users for a group (I just tried it and you can) I suspect this API may be fairly closely watched however.
i think its fair. all you will get is the email somebody used to sign in to facebook, and if you tried to do this at mass im sure you would trigger some automated system.
if you really want to target somebody particular there you can get the email address of that person. i have my gmail account from 2004, and at this point, it is resold million times.
all it takes is somebody that i communicated with to do something stupid like allow some app to scan the contact book and my email is in the wild.
I had the same thought. Seems like the value of such an exploit could be a lot more than $5k to the right people in the open market.
The macro effect is that when someone with lower moral/ethical standards discovers such an exploit it's more likely the find will end up being sold for more money and ultimately used maliciously in the wild.
The more $fb pays the greater the incentive will be for shady people to responsibly report it to $fb.
Relying on good samaritans doesn't seem like a sustainable or particularly responsible solution to taking care of those trusting the Facebook platform to not leak their private information.
Seems like the value of such an exploit could be a lot more than $5k to the right people in the open market.
Probably not. What would the buyer do with it? It's probably very hard to mass scrape FB (rate limiting would kick in), and there are other ways of getting a specific email address.
It appears to be the researcher's own address. Also, the censoring in the image is Facebook's, not the researcher's - this discrepancy is exactly the bug they're disclosing.
Beat me to the reasoning for that lol thanks! But yea as he stated, it's one of my work email addresses I use for testing so figured the less censoring I did the better to show the full impact etc.
Facebook's Wrong Password page has a bunch of weird behavior that, as a lay person, I disagree with.
Entering an old password into Facebook will tell you as such [1]. I can't really think of a practical attack for this towards facebook, but I'm really weary of any system that reveals information about passwords, even though I somewhat feel I'm being overly paranoid. Password recycling just seems to be too prevalent to allow me to ignore this, even though it seems impractical to me. I guess I just don't like that it reveals password information.
Enough failed logins automatically sends a temporary login pin to the email on file. Again, I feel that in a practical sense this isn't a big issue since if you can get access to the email that has the login pin you also likely have access to the victim's machine that is already logged in, but it still feels like a weird practice to automatically generate temporary credentials without being asked.
Confirmation of old password isn't such a big deal. If you are concerned that a password was shared with another site and not changed, the attacker has an easier test: use the password at the other site.
On the other hand, major utility boost for users. "I KNOW this is my password!" Actually, it was your password before you changed it. "Oh right."
I know I do this quite frequently. Enter password. (Wrong.) Guess I have to change it. Reset. (New password must be different than existing password.) My "new" password is the one I changed it to last time, before forgetting.
This happens to me with arcane password requirements that only tell you the requirements after you reset it.
try various passwords -> "Invalid password" -> send reset password email -> click email -> "passwords require a special character AND a number AND an unprintable character" -> me: ooooh, its that one -> enter it -> "password already used" -> enter another password I'll definitely forget next time.
There are websites I need so occasionally that I'm sure that I have never logged in without resetting my password.
Why would you equate 'the primary email address' with your primary email address rather than the one FB thinks of as the primary? You're like a guy who sees a sign saying 'beware of pickpockets' and boasts about how he's smarter than that because he keeps his money in his shoe.
Did you know that this behavior is widespread enough that pickpockets sometimes put up their own warning signs, so as to observe where people unconsciously touch their wallet through their outer clothes when they encounter the sign?
Not sure why you are getting downvoted, but... Same for me, facebook only has a spamgourmet address for me, and that address is set to only forward email from the facebook domain. Anyone else emailing it is just sending bits into the ineffable aether.
I would set it up to forward everything, and stop that first when it get abused. Now you potentially miss emails sent to that adress if there were to use another adress to send emails with no clear gain.
Did I miss it? I don't see anywhere the author said "I think this facebook bug is worth more than XY dollars". It is obviously worth more than the $5,000 bounty given to someone willing to exploit it. Being able to harvest the email address of any arbitrary Facebook user would be worth much more than $5,000.
If bug bounty hunters are making a calculation of whether to report or sell on the black market, a bug like this would fetch a very large price. I hope people don't add shades of gray, or stripes of black, to their hats with the discrepancies that are regularly reported.
I think they're referring to the comments where this already very dead horse seems to be regularly beaten whenever a bug bounty is discussed. Much like Google Reader was(is?) on every article about Google, Facebook is evil, etc.
I'm kind of torn about it since I've come to realize that new readers won't have the same reaction to the drudgery of reading these repetitive arguments so they may have value but it's pretty annoying if you're a regular reader. It's easy enough to ignore it and/or hide it but if you feel strongly about it one way or another a compulsion to make sure your side is accurately and convincingly represented tugs at you.
Even at $5000 this set a personal high payout record for me. The easy legal money is better than taking a risk in a grey area such as selling exploits on the darknet. May not be as profitable this way, but I have no complaints and an extra 5k 2 days before xmas is a hell of a gift imo.
Hah. That's why I pointed out that you weren't one of those who complained about the payout. I just found it odd that someone would say they didn't want that to be discussed. I think it's an important part of the discussion. I definitely agree -- easy legal money is always preferable to sketchy darknet money.
Exactly. And with my past it is much better to stick to the right side and not venture into grey areas. Prison is not fun, so would really like to avoid it more in the future.
1. Find a group on Facebook of users you're interested in.
2. Do this bug to get all of their emails.
3. Building a lookalike audience from these emails.
Goldmine.