That was the original program I was participating in. Facebook has agreed to pay me a bounty for this bug.
Nathan Power www.securitypentest.com On Fri, Oct 28, 2011 at 7:17 PM, Ulises2k <ulise...@gmail.com> wrote: > You know this? ;) > https://www.facebook.com/whitehat/bounty/ > > > > On Fri, Oct 28, 2011 at 17:49, Nathan Power <n...@securitypentest.com> > wrote: > > > > I would also like to note this vulnerability was reported responsibly in > regards to full disclosure. > > http://en.wikipedia.org/wiki/Full_disclosure > > > > Nathan Power > > www.securitypentest.com > > On Fri, Oct 28, 2011 at 1:38 PM, Nathan Power <n...@securitypentest.com> > wrote: > >> > >> I was basically told that Facebook didn't see it as an issue and I was > puzzled by that. Ends up the Facebook security team had issues reproducing > my work and that's why they initially disgarded it. After publishing, the > Facebook security team re-examined the issue and by working with me they > seem to have been able to reproduce the bug. > >> > >> Nathan Power > >> www.securitypentest.com > >> > >> > >> On Fri, Oct 28, 2011 at 11:18 AM, Pablo Ximenes <pa...@ximen.es> wrote: > >>> > >>> Not fixed yet. At least not yesterday when I checked. > >>> Nathan, didn't Facebook ask for some time to fix this bug after they > have acknowledged it? > >>> > >>> Pablo Ximenes > >>> http://ximen.es/ > >>> http://twitter.com/pabloximenes > >>> Em 27/10/2011, às 19:29, Joshua Thomas <rappercra...@gmail.com> > escreveu: > >>> > >>> can't believe such was on FB .... wahahaha !!! lol ....rofl ... > >>> > >>> When was this discovered and fixed ? > >>> > >>> > >>> On Thu, Oct 27, 2011 at 1:02 AM, Nathan Power <n...@securitypentest.com> > wrote: > >>>> > >>>> > --------------------------------------------------------------------------------- > >>>> 1. Summary: > >>>> When using the Facebook 'Messages' tab, there is a feature to attach a > file. > >>>> Using this feature normally, the site won't allow a user to attach an > executable file. > >>>> A bug was discovered to subvert this security mechanisms. Note, you do > NOT have > >>>> to be friends with the user to send them a message with an attachment. > >>>> > --------------------------------------------------------------------------------- > >>>> Read the rest of this advisory here: > >>>> > http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html > >>>> > >>>> Enjoy :) > >>>> > >>>> Nathan Power > >>>> www.securitypentest.com > >>>> _______________________________________________ > >>>> Full-Disclosure - We believe in it. > >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >>>> Hosted and sponsored by Secunia - http://secunia.com/ > >>> > >>> _______________________________________________ > >>> Full-Disclosure - We believe in it. > >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >>> Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/