The main thing is that the security division at facebook probably runs
the bug hunting page (as with everywhere else, which does make a decent
bit of sense). And, if you spot bugs before they do, then that looks
bad on them (internally at the company and externally to the world).
So, it is
nice speculation, but imo it would make them look more bad, if they turn
down the reports, because it will come back to them (either via the
publication like in this case, or just simply someone exploiting it).
so while I don't have personal experience working with the facebook
security team, but
From: Charles Morris cmor...@cs.odu.edu
Subject: Re: [Full-disclosure] Facebook Attach EXE Vulnerability
To: Nathan Power n...@securitypentest.com
Cc: Full Disclosure full-disclosure@lists.grok.org.uk
Message-ID:
CABgawuYGTu1=eg2nesd9g_n_aapwe1myqzrznc0tdz5sqsb...@mail.gmail.com
Content-Type
Yes to a certain degree its all about Saving FACE. .. however FB's
30member integrity team is only bothered about how to manage the vectors
that have been primed to protect.
FB is the largest network protected .. (YES big word Protected !! / they
have over 25B checks per day and reaching upto
On Tue, 01 Nov 2011 14:00:42 BST, Ferenc Kovacs said:
nice speculation, but imo it would make them look more bad, if they turn
down the reports, because it will come back to them (either via the
publication like in this case, or just simply someone exploiting it).
So exactly how big a hit did
Hey great read,
very true, there is way too little money in this area, but thats
what i am hoping to change, albeit pinch per punch and company by
company, slowly if more people turn to some ideals that you must
atleast know how to make the exploit and then how to debug it enough,
then to
I sort of have to agree with this, as I earlier stated, FB somehow
seems to affect even those who dont use it (like me), but all my
family, and theyre friends and theyre friends, as i know, neary
everyone i know uses it but me!
I guess this is why I am abit peeved at theyre offer of 500bux for a
March 8 is the 67th day of the year (68th in leap years) in the
Gregorian calendar. There are 298 days remaining until the end of the
year.
I doubt thats what you mean but eh ;)
On 2 November 2011 02:58, valdis.kletni...@vt.edu wrote:
On Tue, 01 Nov 2011 14:00:42 BST, Ferenc Kovacs said:
Sounds great thx :)
Is maybe abit of this chatter wich aids them to see how important it
is to link to the community who find 99.9% of bugs i am glad to
see *any* expansions within any corporation, it means they are atleast
listening to those who know better maybe than they do... but theyre
Nathan, It IS an issue, don't let their foolishness harsh your mellow.
Although it's a completely ridiculous, backwards, and
standards-relaxing security mechanism,
the fact is they implemented it, and you subverted it.
In my book that's Pentester 1 :: Fail Vendor 0
I've had large vendors
Oh hey, 3k is great!
I saw that they just made it look abit cheap... no wrath but, it is
still a MULTI billion now, dollar company, so they shoukld be trying
to make SURE they can out bi ANY underground payers.. thats all i had
to question.
thanks for clearing it up, but sure, if theyre paying
On Sat, Oct 29, 2011 at 2:33 PM, xD 0x41 sec...@gmail.com wrote:
Bounty, another nice way to say *screw you but here anyhow...*
I am shocked they offer so little ($500 usd for remote-code injection) ,
Actually, it's $500 _or more_. I've lost the reference, but I think
they paid about $3000 for
That was the original program I was participating in. Facebook has agreed
to pay me a bounty for this bug.
Nathan Power
www.securitypentest.com
On Fri, Oct 28, 2011 at 7:17 PM, Ulises2k ulise...@gmail.com wrote:
You know this? ;)
https://www.facebook.com/whitehat/bounty/
On Fri, Oct
Bounty, another nice way to say *screw you but here anyhow...*
I am shocked they offer so little ($500 usd for remote-code injection) ,
one remote code injection bug for FB in a security environment wich is
not white, and may sell the bug for upto more than 5000, because if a
RCE or other was
Is this for real? If so, this is a huge scandal imho. Such a simple error
for a Facebook developer to make.
On 27 Oct 2011 13:53, Nathan Power n...@securitypentest.com wrote:
-
1. Summary:
When using the Facebook
Nice one Nathan :)
On Thu, Oct 27, 2011 at 9:33 PM, Dan Ballance tzewang.do...@gmail.comwrote:
Is this for real? If so, this is a huge scandal imho. Such a simple error
for a Facebook developer to make.
On 27 Oct 2011 13:53, Nathan Power n...@securitypentest.com wrote:
Not fixed yet. At least not yesterday when I checked.
Nathan, didn't Facebook ask for some time to fix this bug after they have
acknowledged it?
Pablo Ximenes
http://ximen.es/
http://twitter.com/pabloximenes
Em 27/10/2011, às 19:29, Joshua Thomas rappercra...@gmail.com escreveu:
can't believe
Not fixed yet. I checked today.
On Fri, Oct 28, 2011 at 1:18 PM, Pablo Ximenes pa...@ximen.es wrote:
Not fixed yet. At least not yesterday when I checked.
Nathan, didn't Facebook ask for some time to fix this bug after they have
acknowledged it?
Pablo Ximenes
I dont think that he waited for vendor to confirm fix in production and I
dont see a reason that he needs to wait . If FB did not ask him to refrain
from disclosure.. y shld he ?
09/30/2011 Reported Vulnerability to the Vendor
10/26/2011 Vendor Acknowledged Vulnerability
10/27/2011 Publicly
Agreed. What I'm asking is whether Facebook did ask him to wait. Did it? If
it did it's a whole different ball game.
Pablo Ximenes
http://ximen.es/
http://twitter.com/pabloximenes
Em 28/10/2011, às 13:01, Peter Dawson slash...@gmail.com escreveu:
I dont think that he waited for vendor to
oh ok..i c ur point.. if they did tell him to wait and he failed their NDA..
then its an issue
/pd
On Fri, Oct 28, 2011 at 12:04 PM, Pablo Ximenes pa...@ximen.es wrote:
Agreed. What I'm asking is whether Facebook did ask him to wait. Did it?
If it did it's a whole different ball game.
seems they use string.endwith to decide if it is exe
--
抱歉暂时无法详细说明。这份邮件是使用安装有K-9 Mail的Android移动设备发送的。
Vipul Agarwal vi...@nuttygeeks.com写到:
Nice one Nathan :)
On Thu, Oct 27, 2011 at 9:33 PM, Dan Ballance tzewang.do...@gmail.com wrote:
Is this for real? If so, this is a huge scandal imho.
I see. I have seen this kinda behavior from vendors too often. I supose the
reason for this is the flood of false positives. I think they need a better
way to sift the wheat from the chaff.
Congrats for your work!
2011/10/28 Nathan Power n...@securitypentest.com
I was basically told that
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I think they need a better way to sift the wheat from the chaff.
Numbers can be magic and eight bytes is enough of a taste to tell honey from
vinegar.
Nice find
Dave
On 28/10/2011 18:56, Pablo Ximenes wrote:
I see. I have seen this kinda
I was basically told that Facebook didn't see it as an issue and I was
puzzled by that. Ends up the Facebook security team had issues reproducing
my work and that's why they initially disgarded it. After publishing, the
Facebook security team re-examined the issue and by working with me they
seem
I would also like to note this vulnerability was reported responsibly in
regards to full disclosure.
http://en.wikipedia.org/wiki/Full_disclosure
Nathan Power
www.securitypentest.com
On Fri, Oct 28, 2011 at 1:38 PM, Nathan Power n...@securitypentest.comwrote:
I was basically told that
You know this? ;)
https://www.facebook.com/whitehat/bounty/
On Fri, Oct 28, 2011 at 17:49, Nathan Power n...@securitypentest.com wrote:
I would also like to note this vulnerability was reported responsibly in
regards to full disclosure.
http://en.wikipedia.org/wiki/Full_disclosure
On 10/28/2011 6:17 PM, Ulises2k wrote:
You know this? ;)
https://www.facebook.com/whitehat/bounty/
On Fri, Oct 28, 2011 at 17:49, Nathan Powern...@securitypentest.com wrote:
I would also like to note this vulnerability was reported responsibly in
regards to full disclosure.
On Fri, 28 Oct 2011 20:44:04 CDT, Laurelai said:
On 10/28/2011 6:17 PM, Ulises2k wrote:
You know this? ;)
https://www.facebook.com/whitehat/bounty/
Facebook has a habit of ignoring issues
So? That's their problem, not yours.
The moral thing to do is to work with them on a responsible
On 10/28/2011 10:03 PM, valdis.kletni...@vt.edu wrote:
On Fri, 28 Oct 2011 20:44:04 CDT, Laurelai said:
On 10/28/2011 6:17 PM, Ulises2k wrote:
You know this? ;)
https://www.facebook.com/whitehat/bounty/
Facebook has a habit of ignoring issues
So? That's their problem, not yours.
The moral
On Fri, Oct 28, 2011 at 11:15 PM, Laurelai laure...@oneechan.org wrote:
On 10/28/2011 10:03 PM, valdis.kletni...@vt.edu wrote:
On Fri, 28 Oct 2011 20:44:04 CDT, Laurelai said:
On 10/28/2011 6:17 PM, Ulises2k wrote:
You know this? ;)
https://www.facebook.com/whitehat/bounty/
Facebook has a
-
1. Summary:
When using the Facebook 'Messages' tab, there is a feature to attach a
file.
Using this feature normally, the site won't allow a user to attach an
executable file.
A bug was discovered to subvert this
can't believe such was on FB wahahaha !!! lol rofl ...
When was this discovered and fixed ?
On Thu, Oct 27, 2011 at 1:02 AM, Nathan Power n...@securitypentest.comwrote:
-
1. Summary:
When using the
33 matches
Mail list logo