Hacker News new | past | comments | ask | show | jobs | submit login

This was discussed at length when it was first submitted here 5 years ago. The researcher found a (known) exploit, claimed $2500, then a month later used internal details he gathered (and saved) from the first exploit to breach the system further to demand a bigger payout.



They didn't change the credentials that had been hacked? God I wish the hacker had sold the vuln to North Korea.


Real life is not like the movies, in which a floppy disk of info is exchanged for a suitcase of money in a dark alley or in a boardroom. Blackhats typically find that there is little market for their info, especially before the advent of bitcoin being popular. yeah, you cracked a bunch of selfie pics. What can you do with it. not much.


He had signing keys for the Instagram app and the *.instagram.com keypair. Do you think that's not valuable and dangerous?


sorry, can you explain what the signing keys and keypair would allow someone to do?


Would allow you to make an app that steals all your info and release it as if it was the latest app from instagram.


Wouldn't you also need login info (prob including 2fa) to an Apple developer account?


If *.instagram.com keypair is the TLS certificate keypair, then they could MITM Instagram. They'd probably need to physically stalk some Instagram employees, but getting the TLS certificate key pair would be the difficult part.

On a related note, what do MS Windows/OSX/Android/iOS/Linux do when they see a WiFi AP with an SSID (and maybe even MAC) they recognize, with a WPA2 key they know, operating without encryption? Will they still auto-connect in the clear? In other words, if an attacker cloned the SSID of someone's work/home network, with a strong enough signal, could they trick devices into auto-connecting to an unencrypted AP?


People do this with public WiFi - for example, set up at Starbucks with a duplicated SSID, wait for target to connect and route it through as if it were connected to the real Starbucks WiFi, all the while monitoring in the middle.


And what do they do with it? Set up a global worldwide network of agents extorting money from people sending dick pics over Instagram?


yeah, you cracked a bunch of selfie pics. What can you do with it.

FTA: "specifically I gained access to a lot of data including SSL certs, source code, photos, etc"

Blackhats typically find that there is little market for their info, especially before the advent of bitcoin being popular.

And now?


Bug bounty programs pay you for the severity of the exploit, not the potential damage you could do with it. The researcher found an unpatched server with a known Ruby RCE and cracked a weak password. Whether he found the server empty or containing nuclear codes isn't what determines the payout.

Storing user data and private keys on your computer after reporting the hack and using them again to access the systems is way beyond the scope of a bug bounty program (and probably criminal).


> the severity of the exploit, not the potential damage you could do with it

Isn't severity measured in terms of potential damage?


Yes.

https://www.facebook.com/BugBounty/posts/approaching-the-10t...

CDN bug report... Earlier this year we received a report from Selamet Hariyanto who identified a low impact issue in our CDN... a very sophisticated attacker could have escalated to remote code execution. As we always do, we rewarded the researcher based on the maximum possible impact of their report, rather than on the lower-severity issue initially reported to us. It is now our highest bounty — $80,000.


In 2017 Doxagram made well over 100k selling a emails and phone mumbers associated with a relatively small list of instagram accounts.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: