Stealing Facebook access_tokens using CSRF in device login flow
josipfranjkovic.comThe circle jerk discussion about the rewards paid out by bug bounties on this site is getting ridiculous. It has been talked about ad nauseum and it seems that most people crying that the reward isn't high enough because "you could make so much more on the black market" don't actually know anything about how vulnerabilities are monetized on the black market.
You're probably right, but this comment would be a lot better if it included information (e.g. about how the black market works) and dropped the slurs ("circle jerk", "crying").
You're right. It was a bit of a knee jerk response to what I was reading in the comments.
I'd be curious to know what those same folks think regular security staff should be paid.
From another thread here, the author talking about the time involved:
>Two to three hours discovering and writing the initial report, couple more hours (unsuccessfully) trying to escalate it using pre-approved apps.
I'll round his estimate up to 6-8 hours, or basically a normal work day:
$5000 / 8 = $625 an hour
$625 * 40(hour work-week) * 50(weeks) = $1,250,000 annually
Let's say it took an entire week's worth of time (comes out at $125/hour):
$5000 * 50 = $250,000
Is that range wildly out of line for what Facebook would potentially be paying for a full-time employee? The actual salary number would probably be lower, this would be including the cost taxes/insurance/perks/etc.
Even as a contractor, where the "expect to bill ~1000 hours a year" rule of thumb is/was common, puts the range at $125,000-$625,000.
Seems as though if you can reliably find organizations willing to pay these amounts and have the skill/luck/grit to grind out vulnerabilities at those companies you'll make a decent living. Or, put another way, these company's are paying bounties comparable to what the same research would have cost coming from a staff member.
Why would you calculate hourly rate? I'd rather try to calculate the economic impact that this could have for the company, especially marketing costs to repair bad PR if something like private messages, pictures, info, etc. get breached. Do you think Facebook would spend $5,000 for that? Hell no, marketing budgets are in the magnitude of millions of dollars... I'm in no way supporting to exploit these vulnerabilities, and kudos to the OP (and many others) for finding these bugs and reporting to their companies instead of exploiting. I just think that big tech companies should pay bigger bounties.
The hourly rate is to make an apples-to-apples comparison to someone whose full-time job is to do that kind of security work, either salaried or contracted.
Would it make sense to award bonuses to every in-house security researcher based on an estimated, hypothetical worst-case cost? It doesn't take much imagination to see how that reasoning applies to other positions. Do accountants get big bonuses for avoiding multi-million-dollar errors? Lawyers for avoiding costly lawsuits? Operations (IT and otherwise) for keeping infrastructure running? Customer service for assuaging disastrous public interactions? Stretched to absurdity, would you pay for a taxi based on how badly you need to get to point B?
I believe saying "preventing these kinds of problems (doing this work) is what we pay you for" is a reasonable conclusion and paying a market rate for that general value makes more sense versus calculating a kind of commission per individual contribution. That does have a certain appeal (and I wouldn't mind seeing a discussion about it) but I haven't gotten the impression that's the perspective of those who think all* bug bounties should be higher.
*: Added caveat as I'd bet every researcher can name companies that pay poorly
$250k/yr is not at all a crazy number for someone who can reliably generate Facebook vulnerabilities from a black box cold start.
I don't think you can infer that all the researcher's finding would be critical bugs in one of the big companies (that pay well). It probably follows a normal distribution where most of the time it's non-critical bugs in medium-sized companies.
I'd love to learn about how these sorts of vulnerabilities tend to get moneitized in black market settings.
Is there much reading available for that kind of thing?
No, there isn't. Even the people who participate in the grey market for exploits (sales that aren't overtly prohibited by law and for which participation would be unlikely to make you an accessory to a felony) are very quiet about it.
But, a good starting point might be the analyses people have done on the Hacking Team leak.
What's your opinion on bug bounties for hosted applications v.s. bug bounties for actual pieces of software?
To me, the latter seem like a much more obviously good idea than the former. Notably, issues of somebody going out of scope- like the Facebook issue a while back- mostly disappear. Bounties on things like Chrome seem to be almost drama-free; the worst possible case, aside from somebody 0-daying a bug out of anger, is somebody not getting paid.
I seem to remember Miller mentioning in passing he got paid ~50K per vuln (you can guess who paid it by looking up Millers past employers).
I don't know much about it tbh. tptacek and a few others have spoken extensively about bug bounties on HN. I'll try and dig up a few of their past comments.
Essentially what the argument comes down to is that a one off bug to exploit a company like Facebook is actually not worth very much to anyone on the black market because the bug is likely only valid for one company and that company will likely patch the bug very quickly. This leaves the attacker with a very narrow window to exploit the bug.
Attackers on the black market paying for exploits are looking to make money from those exploits. If there is only one place they can use the exploit and perhaps only have a few days or even hours to use it how much would it really be worth? The exploits that pay big on the black market are ones that are enormously widespread and less likely to be fixed quickly.
If I can find better, more detailed, explanations I'll post them here. Maybe tptacek can link to his past comments...
What's more is there can't really be an established "market" for a unique exploit. If a product isn't being regularly traded then there's no easily findable pool of buyers. There's also no ongoing/repeat business which outside of contract law (and even for plenty of business conducted under contract) is all there is to keep people honest.
You'd need to be very well connected to be able to get good value out of an exploit. There could very well be people that are. Hackers in leather dusters travelling the world exchanging thumb drives in shady third world bars, sounds cool as hell, in fact I hope there are people living that life just because it makes reality that little bit more interesting. But your average pen tester isn't that.
Whenever i see the "better value on the black market" crowd show up here I'm actually reminded of a, Jim Jefferies I think, bit about the black market not meaning you can just head down to the docks at night going "GUNS. I WANT TO BUY A GUN".
> [...] that company will likely patch the bug very quickly.
I have heard many instances where it isn't the case (some bugs are often being exploited for months before the company finds out)... and you probably did too... but anyways, as an example, you don't need a lot of time to copy lots of data...
The Hacking Team hack had some interesting fallout... I believe the article below was posted on HN a while ago: [Edit, just saw tptacek's comment]
https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/
https://www.wired.com/2015/07/hacking-team-leak-shows-secret...
I think people on HN are underestimating the tabloid market and previous prices paid for photos https://en.wikipedia.org/wiki/List_of_most_expensive_celebri..., TMZ regularly pays out 5k for photos/videos, selling to them is the hard part and not getting caught in some type of undercover sting during the process is why most people will take the bounty
Every time this topic comes up, someone brings up the "market" for stolen photographs. For a site so interested in startups, we sure don't like to think like businesspeople when it comes to this topic.
Think about the steps required to acquire and monetize stolen photographs from Facebook accounts. Only a few of those steps involve Facebook vulnerabilities, just like only a few of the steps involving building a software company involve actually writing software.
But in order for that business to work at all, it needs a steady supply of Facebook vulnerabilities; all the work setting up a sales channel for photos, in reconnoitering accounts to figure out which ones to raid for photos, in determining what the prices for photos should be, in scouting out new customers for photos, and most of all providing OPSEC for a ridiculously risky criminal venture, all of it is at a standstill until someone (a) sells them a vulnerability and (b) shows them how to pivot that flaw to acquiring photographs.
Nobody is running that business, ready to receive Facebook CSRFs (or even serverside RCEs) so they can get another few weeks of Facebook photo-snarfing in. One way you know that is that when celebrity photos are stolen in phishing attacks, it's a major news story.
Vulnerabilities that command high prices on the black market do so because they slot into already-existing criminal enterprises. If the enterprise does not yet exist, the vulnerability is worth zero.
Buying stolen property is a crime. TMZ would be committing a crime if they bought photos from hackers. Doing that would be the end of TMZ.
they already have precedent for buying illegally obtained footage and nothing happened to them
http://pagesix.com/2014/05/15/employee-who-leaked-solange-ja... http://www.newyorker.com/magazine/2016/02/22/inside-harvey-l...
they would be more worried about a gawker/hulk hogan like lawsuit then getting criminally prosecuted
IANAL, but the first link does not support that conclusion. It is not made clear whether that employee was in fact committing theft and selling stolen goods to TMZ (the hotel threatens to press charges (what charges?) on the employee but did those charges actually go through?).
Furthermore, nothing happening in one case != okay to do whatever you want. I guarantee you TMZ has a team of lawyers that makes sure they stay on the right side of the fine line of plausible deniability.
I posted below (and got hardly and irrationally downvoted) that $5,000 is a joke. And your comment and others don't change my mind. A CSRF vulnerability, looking forward to reading a post on a SQL Injection next time.. I worked doing bots on my school days when I was a kid, and I saw the gray/black market can be unfortunately extremely profitable. $5,000 is nothing, we're not talking about a little startup here, it's Facebook, and they do have resources. Have you ever seen nasty content on Facebook on your wall, been spammed or even hacked? It's because of these kind of vulnerabilities get breached. Of course they can happen, but $5,000 is nothing considering the economic impact that can have if someone exploits it badly. A PR campaign to fix a mess wouldn't cost a few thousands, rather a few millions. Again: kudos to the OP for posting this and doing things the right way (reporting to facebook), but again, sadly good developers are getting underpriced...
PS: and by the way, I'm in no way circle jerking, this is not reddit, I'm here for a serious discussion on the topic.
As I said downthread, Facebook was the highest bidder for this interaction-required CSRF bug; the next-highest bidder would probably be $50.
There is virtually no market at all for serverside bugs, because they have no half-life: as soon as they're detected, they stop working against all targets instantaneously. Contrast that with browser clientsides, which have long half-lives.
A SQL injection bug in a Facebook service would not fetch much more than $50 from anyone but Facebook itself.
The price is not only what you can get on the black market, but it's also considering:
- How likely it is for someone else to find it (even internally)
- How long does it take for it to be identified and exploited, the impact of that, and time for mitigation/fixing
True, but it's also:
- How much would it cost to repair the trust of the users if the breach occurs. PR, marketing, organizational costs
Do you think a big company would pay $5k for a PR campaign to fix a mess due to a breach of private data? Not remotely.
It's always a question of probability: expected cost x expected probability gives you the end cost
You don't lock a $1000 bike with an $1000 lock, maybe with a $100 lock though
I think $5,000 is a joke, this is a serious vulnerability... Despite this, congratulations for finding it and reporting directly to them, the right way. If it's possible to know, how many hours did you spend researching this?
>how many hours did you spend researching this?
Two to three hours discovering and writing the initial report, couple more hours (unsuccessfully) trying to escalate it using pre-approved apps.
>I think $5,000 is a joke
This is still $5,000 more than I would get reporting a similar bug to 99.999% of companies, and I am OK with the bounty. Here is good comment on the topic of bug bounty rewards: https://news.ycombinator.com/item?id=11249173
I think $5,000 is a lot of money. I'd be pretty happy if they sent that to me. In years past, companies would just give you a nice pat on the back.
What if someone else was offering $10,000 for Facebook bugs, so they could exploit them? This bug could probably result in more than $5,000 in damages to the Facebook brand.
But someone isn't. That's the point. These bugs don't go for $10k on the black market.
Never mind the fact that it does matter to a lot of people whether they are committing a crime. Not everyone is a capitalist sociopath.
If someone without a conscience wanted to maximize their profit, they'd probably just sell to both sides.
That's odd considering the potential monetary damage of such bugs can far exceed $10k.
One can smash a car up with a sledgehammer. Is the value of a sledgehammer equal to the value of a car?
>Is the value of a sledgehammer equal to the value of a car?
My previous post was poorly worded; I didn't mean to imply equality.
To use your analogy, valuing a serious vulnerability on a platform that has 1.65B users in the $5-10k range is tantamount to selling a 30lb sledge hammer for a dollar.
But what if producing a sledgehammer only cost 50 cents? Then people would sell sledgehammers for a dollar or less.
Rather than torture this analogy further:
Obviously exploit pricing is generally efficient and adheres to free market principles. That said, it's hypothetically possible that an exploit against a large tech company could sell for far more if the circumstances are right, considering the price to damage ratio is so skewed in addition to the unique nature of each exploit.
Therefore, large tech companies don't really have much to lose by paying far more than they currently do on bounties.
Granted, eliminating what's largely a hypothetical edge case is not the primary benefit to paying higher; incentivizing far more white hat researchers is.
Stealing this.
Me too. It really gets straight to the point.
The problem with valuing bugs at their damage potential is that the total damage potential of all bugs in any given product is almost certainly magnitudes greater than the total value of the product itself.
People always say this but where would you go to find such a buyer? If you could find someone who would purchase it from you, would you process to then sell it to them?
If you can't find a buyer and/or would most likely be unwilling to commit a crime, it's a moot point.
Right, but this is facebook, and it's breaking auth. This is the company that said that if there's a million dollar bug, they will pay out for it. I'm not saying this is a million dollar bug, but breaking auth is up there on things that are bad and is probably worth a bit more than 5k.
Outside of whatever bounty Facebook chooses to offer for it, this vulnerability has a value on the open market of, perhaps, $50.
Don't understand the downvoting here.. Very irrational or emotional motivated. I'll explain why is a joke: $5,000 is nothing considering what could cost to Facebook if someone in a black market finds this, plus a CSRF vulnerability is from a Security 101 lecture nowadays. They do have the resources and should put more money to audit their production code and pay bigger bounties for someone who's not part of their company and finds a bug like this. Again, down voting non-sense.. this is not reddit guys, this is Hacker News.
Hell, I'd pay 6 just for shits and giggles.
Then do it. Facebook has a great security team, but it's a huge product with a lot of code churn, and there are plenty of shits and giggles left to find. Hang up a sign on Twitter or here, something credible that you can't get out of simply by changing your name to "admiralfred" or "commodorefred", that says you'll pay $6,000 for a Facebook CSRF.
You'll get a taker. Nobody other than Facebook is bidding for these bugs, and you're promising to be the high bidder for a lot of them.
Hmm. Seems like Facebook should create some front entities and buy cheap exploits on the black market. Of course, perhaps they already do. Smart folks work there.
edit
Actually, now that i think about it, someone in the right situation could probably make a nice living for a few years buying cheap/obscure exploits for lots of companies that provide bug bounties and submitting them. Beer money at least, perhaps tuition.
Seems sort of on the scale of small time drug dealer. Illegal, very risky in the long term, but possible to get away with for a few years if you're cautious.
>I think $5,000 is a joke, this is a serious vulnerability...
I tend to agree. They should probably add a zero to that.
Obviously $5,000 is a lot of money, but not to Facebook, and especially not in the context of fixing serious vulnerabilities on a platform that has 1.65B users.
If Facebook paid more they'd enhance their security in the process, at the cost of what amounts to chump change for them.
Maybe. But for anyone to make money off it, they'd need to be willing to be or work with a criminal, right? If they are getting work done for the amounts paid, why pay higher?
If you're working on Facebook security, is that a bet you're willing to take?
People might mostly take what they're offered, have it amount to a decent enough hourly rate but there will be that one in ten or one in a hundred unhindered by moral and/or legal considerations.
At that point, it turns into a cost calculation - perhaps it would indeed be cheaper to pay tenfold or more to a hundred people than have just one sell their bug/exploit/whatever to another, more interested buyer?
> If you're working on Facebook security, is that a bet you're willing to take?
Apparently so. That's what they're offering and paying. The entity that most benefits from FB security is FB, and they seem to be OK doing this.
> If they are getting work done for the amounts paid, why pay higher?
To incentivize people to tell them and not sell it to hackers? Because these sorts of things are very valuable to Facebook and they have gobs of money? Because a higher total would make more people interested in looking for issues?
95% of people are incentivized enough to not sell to hackers by the incentive of not becoming a criminal.
I don't believe it's illegal to sell vulnerabilities.
Governments also buy zero days.
Sure just walk into an embassy with a Flash drive, I'm sure they've got sacks of doubloons in a basement safe just waiting for someone like you..
If anything it's to give people the incentive to actually flesh out a bug report and send it to them. I really have no idea where everyone's getting this "The black market will pay billions!" idea from.
Facebook is a closed system, an exploit there is worth precisely nada. Any use of it for monetary gain will be shut down fast and probably audit-logged to find you. Find an exploit kernel-level that allows you to execute any command you want at any administrative level on Windows/Linux/etc which allows people to drastically increase their botnet size? That'll get you some cheese.
I guess the reasoning would be that some hackers probably have found vulnerabilities they'd rather sell on the black market for 50K than sell to Facebook for 5K.
Who is paying 50k for these things? A while back the Hacking Team dumps showed very low prices. Zero days in widespread desktop systems were like 100k. Why would a remote service flaw that can be fixed at a moment's notice be worth much more?
How do you recoup 50k on FB? Not a theoretical "I'll hack Tom Cruises' pictures and blackmail him" but an actual demonstrated business model.
If it's a government buying the exploit, they wouldn't care about recouping the cost. Hence why a large sum is feasible.
Didn't the HT leaks show vulns that'd be sold to anyone? An online service hack just wouldn't command the same pricing. Is there any source/docs to indicate the e.g. NSA pays $50K for this kind of vuln?
Also note that the majority of government entities can just legally request information.
>Is there any source/docs to indicate the e.g. NSA pays $50K for this kind of vuln?
If anything smaller governments without in-house vulnerability research would be more willing to pay large amounts.
>Also note that the majority of government entities can just legally request information.
The kind of governments that would be interested in exploiting Facebook probably aren't the kind that could legally request the information in the first place.
The black market is a false dichotomy. Either you need the money for your work, then negotiate a reasonable price, or you don't, then disclosing it for free might actually helps someone not to be lowballed by BigCo the next time.
There really should be a bug marketplace, instead of one side having all the power and paying pennies.
Markets aren't magical. They route resources, they don't create them from thin air. If Facebook is ultimately the only organization that realizes $5000+ in value from a vulnerability, then no matter how you structure the marketplace, it isn't going discover a higher price for that flaw.
If you believe otherwise, you're missing a business opportunity. Go create a "bug market" for Facebook and Google serversides. It's not illegal to buy vulnerabilities, or to sell them (so long as you're reasonably sure they're not going to be used as part of a specific criminal enterprise --- but don't worry, if you stick a $5000 price tag on a serverside bug, or even a $500 price tag, you can be pretty sure it won't be used by criminals).
By submitting a bug through a bug bounty system you place the reward into Facebook's hands. Following the same argument you can say they can offer $1, because they are the only organization interested in the bug. After all exploiting a vulnerability puts you on the wrong side of the law.
However I do believe saying you discovered a pretty serious bug by putting it on a market sends a strong message. Your system is vulnerable and you are too cheap to pay up.
Out of curiosity, was there any particular reason why you decided to write a blog post about this vulnerability 5 months after the bug was fixed?
I wanted to move from Blogspot to a personal domain, but kept delaying it for a long time.
so you got paid $5,000 ? How long since the first report did it take for that to reach your bank account?
The bug was reported on December 8th, 2015 and fixed on February 18th, 2016 which is an unusually long time for Facebook. The bounty reached my account during the middle of March, but Facebook has recently changed their bounty payment processor to Bugcrowd, and now they have weekly payments.
Weekly payments as opposed to a lump sum? Why? I can't imagine cashflow is an issue for them.
I suspect franjkovic means that there's a queue of lump sums to get deposited to their respective owners, and payments in that queue get processed once per week.
I took that as "they payout all bounties due weekly via an automated system instead of whenever accounting gets around to writing a check".
I took that to mean payments every week instead certain payout times.
Weekly, as opposed to Google's biannual system.
Well done, i hope you made some €€€ on it...