Solve : Facebook gives UK man $20k for discovering security flaw?

1.	Solve : Facebook gives UK man $20k for discovering security flaw?
Answer» Facebook has rewarded a British man with $20,000 (£13,000) after he found a bug which could have been exploited to hack into users' accounts. Jack Whitton, a security researcher, discovered a FLAW in the social network's TEXT messaging system. Facebook thanked Mr Whitton, who is part of the site's "responsible disclosure" hall of fame. The company, like many on the web, encourages experts to report bugs to them rather than cybercriminals. To make it worth their while, rewards are offered of varying amounts depending on the severity of the flaw. Such programmes are known as "bug bounties", with similar schemes being run at the likes of Microsoft, Paypal and Google. "Facebook's White Hat programme is designed to catch and eradicate bugs before they cause problems," Facebook told the BBC. "Once again, the system worked and we thank Jack for his contribution." The bug, which has now been fixed, allowed Mr Whitton to spoof Facebook's text message verification system into sending a password reset code for an account that was not his. Using this, he could go to Facebook, reset a target user's password, and access the account. Full story: http://www.bbc.co.uk/news/technology-23097404Howdy Mulreay.... Good to hear they are rewarding those who work behind the scenes for nothing... "Course one could always say why was he trying that anyways....Quote from: patio on June 28, 2013, 09:13:42 AM Howdy Mulreay.... Hey Patio Quote from: patio on June 28, 2013, 09:13:42 AM "Course one could always say why was he trying that anyways.... I assume because it is his job in some way to find vulnerability. Quote Jack Whitton, a security researcher, discovered a flaw in the social network's text messaging system. Quote Such programmes are known as "bug bounties", with similar schemes being run at the likes of Microsoft, Paypal and Google. My luck if I tried to hunt down flaws and share the exploits back with the owners of the site, I'd get caught in the act medling around and charged with Black Hat Hacking even though I have White Hat Intentions! And would face charges vs a reward..LOL If there is a way to register with them so that if your caught, they say we detected and caught you, go back at trying to break through our security vs... we caught you and now your being charged, I know that I wouldnt mind trying for a $20,000 payout if I HAPPEN to stumble across a flaw. I have found flaws in other sites before and as a white hat simply suggested via e-mail to the webmaster that they should fix something etc which can be exploited. But to be rewarded for being the good guy hacker, now that is appealing to me and many others out there as long as we are not going to end up in handcuffs testing them for flaws! Microsoft Products can be run in a SANDBOX and hammered for flaws, but websites for Microsoft, Paypal, Facebook, and Google etc is something that cant be sandboxed and I doubt they will want an army of hack attacks with people hunting for flaws and making their security work overtime to protect while the army of people are fishing for flaws to report and hope for a reward payout for their effort and honesty of good White Hat Hacking Ethics! I would hate to be a programmer or on a programming team for a company that made software that had to be secure and a flaw in security such as this is brought to light. Its a good thing for the company to be notified and patch it quickly, but its a huge embarassment to the programmers who created it. Its one thing when you as a programmer can defend your software with the fact that if anyone has physical access to a machine, they already own it, but an interface that should be so refined to disallow a flaw such as the one he found is a big pie to the face of all programmers involved. Although in places I have worked for in the past who contact out or put programmers on tight deadlines, they get what they pay for by cutting corners or not giving the programmers the time needed to truely create a masterpiece that is flawless vs something that just works, but lacking in protection from threats. Quote from: DaveLembke on June 28, 2013, 03:37:04 PM If there is a way to register with them so that if your caught, they say we detected and caught you, go back at trying to break through our security vs... we caught you and now your being charged, I know that I wouldnt mind trying for a $20,000 payout if I happen to stumble across a flaw. I have found flaws in other sites before and as a white hat simply suggested via e-mail to the webmaster that they should fix something etc which can be exploited. But to be rewarded for being the good guy hacker, now that is appealing to me and many others out there as long as we are not going to end up in handcuffs testing them for flaws! Finding and exploiting security vulnerabilities is not illegal. It depends largely on the exploit itself. Quote Microsoft Products can be run in a sandbox and hammered for flaws, but websites for Microsoft, Paypal, Facebook, and Google etc is something that cant be sandboxed and I doubt they will want an army of hack attacks with people hunting for flaws and making their security work overtime to protect while the army of people are fishing for flaws to report and hope for a reward payout for their effort and honesty of good White Hat Hacking Ethics! This is already happening. Fact is that large sites like google are constantly under attack by people looking for flaws anyway; the payout is designed so that those that do discover flaws tell them to the people responsible for the PRODUCT so they can be fixed, rather than selling them to people that intend to exploit them for malicious purposes. Having a payout doesn't make more people try to find problems, because that payout was already applicable through the seedy underbelly of the internet underground. Quote but its a huge embarassment to the programmers who created it. Only if the programmers are egotistical douchebags. Otherwise, they recognize that any non-trivial software product is going to have bugs and vulnerabilities. Quote Its one thing when you as a programmer can defend your software with the fact that if anyone has physical access to a machine, they already own it, but an interface that should be so refined to disallow a flaw such as the one he found is a big pie to the face of all programmers involved. The flaw in question was not as obvious as it is being portrayed.Quote from: DaveLembke on June 28, 2013, 03:37:04 PM My luck if I tried to hunt down flaws and share the exploits back with the owners of the site, I'd get caught in the act medling around and charged with Black Hat Hacking even though I have White Hat Intentions! And would face charges vs a reward..LOL ... Me too!This is probably the nicest thing I've seen Facebook do, good for the guy! Also kudos for not trying to exploit it but rather reporting it to Fb

Answer»

Facebook has rewarded a British man with $20,000 (£13,000) after he found a bug which could have been exploited to hack into users' accounts.

Jack Whitton, a security researcher, discovered a FLAW in the social network's TEXT messaging system.

Facebook thanked Mr Whitton, who is part of the site's "responsible disclosure" hall of fame.

The company, like many on the web, encourages experts to report bugs to them rather than cybercriminals.

To make it worth their while, rewards are offered of varying amounts depending on the severity of the flaw.

Such programmes are known as "bug bounties", with similar schemes being run at the likes of Microsoft, Paypal and Google.

"Facebook's White Hat programme is designed to catch and eradicate bugs before they cause problems," Facebook told the BBC.

"Once again, the system worked and we thank Jack for his contribution."

The bug, which has now been fixed, allowed Mr Whitton to spoof Facebook's text message verification system into sending a password reset code for an account that was not his.

Using this, he could go to Facebook, reset a target user's password, and access the account.

Full story: http://www.bbc.co.uk/news/technology-23097404Howdy Mulreay....

Good to hear they are rewarding those who work behind the scenes for nothing...
"Course one could always say why was he trying that anyways....Quote from: patio on June 28, 2013, 09:13:42 AM

Howdy Mulreay....

Hey Patio

Quote from: patio on June 28, 2013, 09:13:42 AM

"Course one could always say why was he trying that anyways....

I assume because it is his job in some way to find vulnerability.

Quote

Jack Whitton, a security researcher, discovered a flaw in the social network's text messaging system.

Quote

Such programmes are known as "bug bounties", with similar schemes being run at the likes of Microsoft, Paypal and Google.

My luck if I tried to hunt down flaws and share the exploits back with the owners of the site, I'd get caught in the act medling around and charged with Black Hat Hacking even though I have White Hat Intentions! And would face charges vs a reward..LOL

If there is a way to register with them so that if your caught, they say we detected and caught you, go back at trying to break through our security vs... we caught you and now your being charged, I know that I wouldnt mind trying for a $20,000 payout if I HAPPEN to stumble across a flaw. I have found flaws in other sites before and as a white hat simply suggested via e-mail to the webmaster that they should fix something etc which can be exploited. But to be rewarded for being the good guy hacker, now that is appealing to me and many others out there as long as we are not going to end up in handcuffs testing them for flaws!

Microsoft Products can be run in a SANDBOX and hammered for flaws, but websites for Microsoft, Paypal, Facebook, and Google etc is something that cant be sandboxed and I doubt they will want an army of hack attacks with people hunting for flaws and making their security work overtime to protect while the army of people are fishing for flaws to report and hope for a reward payout for their effort and honesty of good White Hat Hacking Ethics!

I would hate to be a programmer or on a programming team for a company that made software that had to be secure and a flaw in security such as this is brought to light. Its a good thing for the company to be notified and patch it quickly, but its a huge embarassment to the programmers who created it. Its one thing when you as a programmer can defend your software with the fact that if anyone has physical access to a machine, they already own it, but an interface that should be so refined to disallow a flaw such as the one he found is a big pie to the face of all programmers involved. Although in places I have worked for in the past who contact out or put programmers on tight deadlines, they get what they pay for by cutting corners or not giving the programmers the time needed to truely create a masterpiece that is flawless vs something that just works, but lacking in protection from threats.
Quote from: DaveLembke on June 28, 2013, 03:37:04 PM

If there is a way to register with them so that if your caught, they say we detected and caught you, go back at trying to break through our security vs... we caught you and now your being charged, I know that I wouldnt mind trying for a $20,000 payout if I happen to stumble across a flaw. I have found flaws in other sites before and as a white hat simply suggested via e-mail to the webmaster that they should fix something etc which can be exploited. But to be rewarded for being the good guy hacker, now that is appealing to me and many others out there as long as we are not going to end up in handcuffs testing them for flaws!

Finding and exploiting security vulnerabilities is not illegal. It depends largely on the exploit itself.

Quote

Microsoft Products can be run in a sandbox and hammered for flaws, but websites for Microsoft, Paypal, Facebook, and Google etc is something that cant be sandboxed and I doubt they will want an army of hack attacks with people hunting for flaws and making their security work overtime to protect while the army of people are fishing for flaws to report and hope for a reward payout for their effort and honesty of good White Hat Hacking Ethics!

This is already happening. Fact is that large sites like google are constantly under attack by people looking for flaws anyway; the payout is designed so that those that do discover flaws tell them to the people responsible for the PRODUCT so they can be fixed, rather than selling them to people that intend to exploit them for malicious purposes. Having a payout doesn't make more people try to find problems, because that payout was already applicable through the seedy underbelly of the internet underground.

Quote

but its a huge embarassment to the programmers who created it.

Only if the programmers are egotistical douchebags. Otherwise, they recognize that any non-trivial software product is going to have bugs and vulnerabilities.

Quote

Its one thing when you as a programmer can defend your software with the fact that if anyone has physical access to a machine, they already own it, but an interface that should be so refined to disallow a flaw such as the one he found is a big pie to the face of all programmers involved.

The flaw in question was not as obvious as it is being portrayed.Quote from: DaveLembke on June 28, 2013, 03:37:04 PM

My luck if I tried to hunt down flaws and share the exploits back with the owners of the site, I'd get caught in the act medling around and charged with Black Hat Hacking even though I have White Hat Intentions! And would face charges vs a reward..LOL
...

Me too!This is probably the nicest thing I've seen Facebook do, good for the guy! Also kudos for not trying to exploit it but rather reporting it to Fb

Solve : Facebook gives UK man $20k for discovering security flaw?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment