Reading local files from Facebook's server (fixed) (opens in new tab)

(josipfranjkovic.blogspot.com)

44 pointsfranjkovic11y ago19 comments

19 comments

HN, I am wondering about your thoughts on the $5500 bounty. This is a bug that affected third party system on Facebook's servers, and the network was locked down. I could have gained access to resume analysis software and maybe resume uploads themselves. There was a small to none chance I could get Facebook internal code or binaries. So, was the bounty enough?

patio1111y ago

Neither here nor there regarding compensation, but if I were to describe this for the purpose of e.g. a resume, I do not think "I demonstrated a vulnerability allowing one to root a facebook.com server and thereby compromise any Facebook user" is an exaggeration. You're most of the way there, and while developing it further might be a fun exercise, from their perspective it should be a mostly forgone conclusion that you'll win.

dsl11y ago

In my experience - yes. Very generous.

Almost all other companies would say the bug was out of scope, thank you for reporting it, and maybe send you a t-shirt.

vertex-four11y ago

Did you report it to Facebook, rather than sell it on the market? Yes? Then it was enough, by definition.

Honestly, resume uploads are unlikely to be worth much. The resume analysis software either. What information there is worth anything to an unreputable buyer?

kenko11y ago

It absolutely doesn't follow that it was enough. Someone might report it to facebook rather than sell it on the market out of principle regardless of the bounty, while still thinking that the bounty is way too low relative to the severity of the issue. (What's more, the size of the bounty might be revealed only after it's been reported.)

However, I'm unsurprised to find such reasoning on HN.

3 more replies

zachberger11y ago

The temporary fix wasn't very user friendly. It was a plain text response "Please try again later" when trying to upload a resume.

franjkovicOP11y ago

Yeah. In the 1 day timeframe between temp and permanent fix you could not upload resume, which is a breaking change for end users.

But, I think it was pushed because it was Sunday and Careers team was not on site to properly/permanently fix the bug.

themartorana11y ago

Well, they had to figure out what was going on with software from a 3rd party vendor. That likely adds overhead.

But hey, I'd break all kinds of functionality temporarily to make sure this exploit - which as is explained, looked worse than it ended up being, wasn't actually as bad as (or worse than) it did look.

1 more reply

ceejayoz11y ago

I'm impressed with the fix turnaround.

2ddddd2211y ago

GJ Plit

styles11y ago

Did anyone else notice a user named Gopher? Go at Facebook?

zackboe11y ago

It's most likely for the Gopher protocol: http://en.wikipedia.org/wiki/Gopher_%28protocol%29

rakoo11y ago

I'm more suprised at all the useless users still present.

j / k navigate · click thread line to collapse

19 comments

franjkovicOP11y ago

patio1111y ago

dsl11y ago

In my experience - yes. Very generous.

Almost all other companies would say the bug was out of scope, thank you for reporting it, and maybe send you a t-shirt.

vertex-four11y ago

Did you report it to Facebook, rather than sell it on the market? Yes? Then it was enough, by definition.

Honestly, resume uploads are unlikely to be worth much. The resume analysis software either. What information there is worth anything to an unreputable buyer?

kenko11y ago

However, I'm unsurprised to find such reasoning on HN.

3 more replies

zachberger11y ago

The temporary fix wasn't very user friendly. It was a plain text response "Please try again later" when trying to upload a resume.

franjkovicOP11y ago

Yeah. In the 1 day timeframe between temp and permanent fix you could not upload resume, which is a breaking change for end users.

But, I think it was pushed because it was Sunday and Careers team was not on site to properly/permanently fix the bug.

themartorana11y ago

Well, they had to figure out what was going on with software from a 3rd party vendor. That likely adds overhead.

1 more reply

ceejayoz11y ago

I'm impressed with the fix turnaround.

2ddddd2211y ago

GJ Plit

styles11y ago

Did anyone else notice a user named Gopher? Go at Facebook?

zackboe11y ago

It's most likely for the Gopher protocol: http://en.wikipedia.org/wiki/Gopher_%28protocol%29

rakoo11y ago

I'm more suprised at all the useless users still present.

j / k navigate · click thread line to collapse