As someone who is nowhere near skilled enough to do any such things, I am so impressed with these types of posts, very interesting stuff. I can also appreciate that you directly reported these vulnerabilities to FB.
As the past of being white hacker shows, keep hacking but shut up! Because even if you tell the author you find a way to get into their system and you havent cause any damage, they sure will come after you in a legal way.
In example herein, not only time after time the author proves that there are serious holes in FB auth system, but is also very happy to blog about it. You see, FB is publicly traded company. The management answers to stockholders and the board. If some Joe Hacker keeps finding holes in the system, someone somewhere reading that blog may be thinking of abandoning the FB platform due to it security layer looking like a swiss cheese. And management doesnt like that, because less users == less eyeballs for $.
My gut tells me, if this guy did not get offer to work for Facebook just yet, it means they are building a lawsuit against him, as you perfectly know FB TOS forbids anyone from fiddling with any of their URLs.
I work at facebook on our whitehat program. To clear this up we have not, and would never come after someone properly submitting bugs to us. Quite the opposite we are very appreciative when someone takes the time to find something and send it our way. Everything is aligned around rewarding responsible disclosure instead of punishing its inverse.
Nir in particular is one of our best supporters (rough rankings https://www.facebook.com/whitehat/thanks/) we certainly have no intention to sue him or anyone submitting bugs to us. He even stopped by our office last week to talk about bugs.
Because of the volume of reports we have settled on a scan every new item quickly, categorize it into severity and then respond. As you say it is a minor privacy issue so it looks like it went into a lower-pri area. I will make sure you hear back soon.
If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.
Only question -- who decides on what is "reasonable time", because something tells me its not a hacker, its Facebook itself.
"reasonable whatever" is often used in laws/courts/contracts. Lawyers and judges are used to interpreting this. If Facebook were to sue you, you could start talking about it as part of your defence.
Additionally, Facebook needs to be seen to be reasonable and have a proper 'whitehat' policy. If they start being mean and dictatorial here, then there will be a breakdown in social trust. People won't report bugs to Facebook, people will sell vulnerbilities on the black market. People will release exploits before telling Facebook. It will, eventually be bad for Facebook.
I'm under the impression that FB's whitehat program is active enough that submitters don't experience the notification black hole that has required crackers to raise awareness by broadcast elsewhere. That is, "reasonable" has a way of taking on concrete meaning when the site/company actually responds.
I imagine FB requests that details of the vulnerability are kept private until they have informed the discoverer that they are happy for it to be published.
When I was a pre-teen I used to test the security of websites because it was a fun challenge. I spent days trying to find exploits in Myspace which allowed me to build cookie grabbers because it was very satisfying to know that I was able to beat experienced engineers. It's kind of like contributing to open source software... it's a way to use your skills in a way that doesn't feel like "work".
Maybe it's because some people are genuinely good people.
That, and anyone in a collaborative field would gladly welcome beneficial tweaks to their product. Karma.
Sure, but the beneficiary is a company, and publicly held at that. You're alluding that the inverse is true, that not sharing exploits with a company who's sole purpose is to accumulate money somehow makes you a bad guy. It doesn't. That's like saying I should code for free in order to be a good guy.
At which point should people consider not using a technology which has been repeatedly exploited and start using something where security has been thought about from the start?
Because we all know that the article "How I hacked FB using OAuth a 3rd time"is coming...
This isn't really a generic OAuth bug though. This stems from the fact that you can trick the redirection scheme that Facebook uses into thinking that you are the legitimate owner of an application whilst using your own backend-flow URL.
This isn't going to affect 99.999% of Oauth implementations and arguably just shows that Facebook made an error in their design.
> trick the redirection scheme that Facebook uses into thinking that you are
> the legitimate owner of an application whilst using your own backend-flow URL
Thanks for this summary which demonstrates the importance of both effective communication skills and reading comprehension since I didn't come up with anything close from my dash through the blog post.
For those who read the article, what caused this vulnerability? An input sanitization or a flaw of OAuth2 that other OAuth2 providers should be aware of?
I'd sure love to be told how this type of attack is any less worthy than buffer overflows, or similar attacks upon old school systems? This guy obviously understands where vulnerabilities can be found and is pretty good at exposing them.
A group of people exists that uses "hacker" for people coming up with creative solutions to problems, and "cracker" for any sort of malicious breaking of security, etc. But I fear that ship has sailed.
Then again, Hacker News isn't about new ways to break into boxen, so...
Bollocks. People have been differentiating between cracking and hacking since basic passwords were put on mainframes for accountancy reasons. Predates software protection by a decade or two.
I'm aware of Eric S Raymond's attempt to change the definition. It's still not correct. Nobody uses it that way other than misinformed pedants. This includes the general public, the media, security professionals, and the people who maliciously break into other sites. Just accept that "hacker" means both and move on.
