Monday, December 07, 2015

Facebook Don't Care About Their Users Again

Several years ago, a researcher found a vulnerability in Facebook and he informed the official and provided with the PoC in full details when asked. Later, the researcher was told that it was not vulnerable. The researcher then exploited the founder of Facebook account with the vulnerability that he found in order to alert the founder. However, the researcher could not get his bug bounty at the end and the vulnerability was fixed by Facebook then. Some Facebook users knowing that, they then funding the researcher themselves as they thought that the researcher need the reward.

Today, another researcher, teh3ck (Twitter @teh_h3ck) found a open-redirect vulnerability and Facebook has been informed. However, tech3ck was informed that "the security impact of this bug is not significant" and refused to pay the bug bounty. The following is the timeline of the bug report :

12th of Nov 2015 | Initial bug report
12th of Nov 2015 | Reply from FB bot that it is false positive
12th of Nov 2015 | Added more clarification for the bug
16th of Nov 2015 | Reply from facebook that they use a blacklist method on their next_uri
16th of Nov 2015 | Sent POC videos of the bug that show the impact of the vulnerability
18th of Nov 2015 | Reply from facebook that i am redirecting to a non blacklisted site
18th of Nov 2015 | Explaining why url blacklisting is not the solution for the specific bug
26th of Nov 2015 | Reply from fb that security impact of this bug is not significant.
6th of Dec 2015 | Public post of the bug

For details, please refer to Vag Mour site.

In conclusion, Facebook and her security team are suck again.

That's all! See you.

Update :

After teh3ck and this article posting several hours, Facebook fixed the vulnerability without giving teh3ck any bug bounty. My recommendation is not to report to Facebook if you find something else on it. You will never never never get the bug bounty for sure.