Full Disclosure mailing list archives
Re: Facebook Attach EXE Vulnerability
From: xD 0x41 <secn3t () gmail com>
Date: Tue, 1 Nov 2011 09:11:34 +1100
Oh hey, 3k is great! I saw that they just made it look abit cheap... no wrath but, it is still a MULTI billion now, dollar company, so they shoukld be trying to make SURE they can out bi ANY underground payers.. thats all i had to question. thanks for clearing it up, but sure, if theyre paying better now thats cool, i should have said to, it is atleast a step in the right direction :s Still, they ARE*** a mutil frigging million dollar company lol, so why wouldnt they give say, 1k minimum and make sure they get people more than interested but even fuzzing for bugs wich could potentially be in use already... this is something theyre not covering atall really with 500bux. It is tho, a start... cheers for clearing up theyre rce payout, wow, so they maybe read googles hall of fame and did it in accordance ? Maybe im wrong but.... this company, is not really the same thing as a google, and i guess a bug on this site, would be actually worth 5million pcs to anyone buying it... im just saying for them being so rish, they could do better, and definately, the comapnies who offer nothing, should get nothing back, simple, thats why blackhats sometimes are blackhats, they got rooted around tryin to help some pig headed company who makes millions yet will screw you around so badly, you do realise they tried to reproduce the bug YOU made even, in order to _NOT_ pay you shit. remeber that. But then again, your in theyre pocket now, and really CANT do shit now but say yes sir no sir two bags half fkn full sir. am i rite. cheers tho. FB still sux hairy ones. On 31 October 2011 16:44, Chris Evans <scarybeasts () gmail com> wrote:
On Sat, Oct 29, 2011 at 2:33 PM, xD 0x41 <secn3t () gmail com> wrote:Bounty, another nice way to say *screw you but here anyhow...* I am shocked they offer so little ($500 usd for remote-code injection) ,Actually, it's $500 _or more_. I've lost the reference, but I think they paid about $3000 for one case. Perhaps an RCE? Anyway, your assumption is off.one remote code injection bug for FB in a security environment wich is not white, and may sell the bug for upto more than 5000,You can't compare whitehat vs. blackhat programs. In the latter, you cross moral and legal lines. Most people aren't willing to be such a dick. Perhaps you should reserve your wrath for companies that offer $fuckall for good bugs? :) Cheers Chrisbecause if a RCE or other was there, something wich was 'seadable' or wormable, then theyre bounty should be far higher, because that doesnt even match up to what many 0days would sell for. If someone had a rce for this and were to worm it, now thats a million dollar botnet... that would be for those who could make from it something and there is no shortage of spammers all to happy to take control of 2million or more pcs... Thats just one scenarion, in wich they could loose somuch data and info, and in exchange offer 500bux. What a slap in the face, FB should be ashamed of that price and bump it up atleast for more serious stuff. EXE attachment would be medium to high risk, they would be able to now patch it, after first they did not acknowledge, but also did not have the bounty also... only recently they have added this, with what, a crappy 500 bux, multi million dollar enterprises, wich are saved by these disclosures, and they are paying pittance. SHAME ON YOU FACEBOOK.COM , Shame... Welcome to the Shame-Files FB, your a disgrace to the good people who are helping you. Nice bug, and, atleast you worked with them to reproduce, you realise they would have gave you 0 $ if they had repoduced this, so again, shame on them for only acknowledging this when they failed at repruction. Theat 'bounty' page screams to me of the actual owners writing, and, I bet he even probably hand wrote that, because he is a TIGHT FTSTED pr**k , someone should put a /blackhat/ folder there, but then, its not worth the time :) (no bug payout rofl...) Notice also, D0S is not part of this, well then this would be funny if one were to find a 0dayer in FB (ala apache d0s byterange style) , well dont bother disclosing it , just run it on a loop from theyre own pages, afterall, whats the use to disclose such a shitty thing (yes this is true it is shitty but, is all cases same...) So summary is, Remote code injection or other, will get ya 500$ ,but, if you goto an UG blackhat site, you might get 5k and up :P xheers and again, thanks for being a good person and helping the citizens of FB, really tho, you have, probably saved me even, 20 removals from my sisters PC :P So, yes, I thank you and FD surely would thank you but, FB dont give a damn :P If they have anyone on this list who is also in theyre secteam well, you really have a 'suck-ass' bounty, wich should be looked over, because seriously, what worth would be it to give you anything, when it is directly cheaper from wqebsites to buy it, and not have any disclosure atall. I guess this is something YOU need to ponder, not me, and im glad for that, and Im glad again, i dont use the shitty service, and never will. Enjoy, have a great day! On 30 October 2011 05:12, Nathan Power <np () securitypentest com> wrote:That was the original program I was participating in. Facebook has agreed to pay me a bounty for this bug. Nathan Power www.securitypentest.com On Fri, Oct 28, 2011 at 7:17 PM, Ulises2k <ulises2k () gmail com> wrote:You know this? ;) https://www.facebook.com/whitehat/bounty/ On Fri, Oct 28, 2011 at 17:49, Nathan Power <np () securitypentest com> wrote:I would also like to note this vulnerability was reported responsibly in regards to full disclosure. http://en.wikipedia.org/wiki/Full_disclosure Nathan Power www.securitypentest.com On Fri, Oct 28, 2011 at 1:38 PM, Nathan Power <np () securitypentest com> wrote:I was basically told that Facebook didn't see it as an issue and I was puzzled by that. Ends up the Facebook security team had issues reproducing my work and that's why they initially disgarded it. After publishing, the Facebook security team re-examined the issue and by working with me they seem to have been able to reproduce the bug. Nathan Power www.securitypentest.com On Fri, Oct 28, 2011 at 11:18 AM, Pablo Ximenes <pablo () ximen es> wrote:Not fixed yet. At least not yesterday when I checked. Nathan, didn't Facebook ask for some time to fix this bug after they have acknowledged it? Pablo Ximenes http://ximen.es/ http://twitter.com/pabloximenes Em 27/10/2011, às 19:29, Joshua Thomas <rappercrazzy () gmail com> escreveu: can't believe such was on FB .... wahahaha !!! lol ....rofl ... When was this discovered and fixed ? On Thu, Oct 27, 2011 at 1:02 AM, Nathan Power <np () securitypentest com> wrote:--------------------------------------------------------------------------------- 1. Summary: When using the Facebook 'Messages' tab, there is a feature to attach a file. Using this feature normally, the site won't allow a user to attach an executable file. A bug was discovered to subvert this security mechanisms. Note, you do NOT have to be friends with the user to send them a message with an attachment. --------------------------------------------------------------------------------- Read the rest of this advisory here: http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html Enjoy :) Nathan Power www.securitypentest.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Facebook Attach EXE Vulnerability, (continued)
- Re: Facebook Attach EXE Vulnerability Dave (Oct 28)
- Re: Facebook Attach EXE Vulnerability Nathan Power (Oct 28)
- Re: Facebook Attach EXE Vulnerability Ulises2k (Oct 28)
- Re: Facebook Attach EXE Vulnerability Laurelai (Oct 28)
- Re: Facebook Attach EXE Vulnerability Valdis . Kletnieks (Oct 28)
- Re: Facebook Attach EXE Vulnerability Laurelai (Oct 28)
- Re: Facebook Attach EXE Vulnerability Jeffrey Walton (Oct 28)
- Re: Facebook Attach EXE Vulnerability Nathan Power (Oct 29)
- Re: Facebook Attach EXE Vulnerability xD 0x41 (Oct 29)
- Re: Facebook Attach EXE Vulnerability Chris Evans (Oct 30)
- Re: Facebook Attach EXE Vulnerability xD 0x41 (Oct 31)
- Re: Facebook Attach EXE Vulnerability Charles Morris (Oct 31)
- Re: Facebook Attach EXE Vulnerability Vipul Agarwal (Oct 28)
- Re: Facebook Attach EXE Vulnerability fengclient (Oct 28)