As a security researcher, the most impressive part of this is the response timeline from Facebook's security team. 3~ hours from first report to temporary patch! That's insane.
We also have a system for patching vulnerabilities which does not require a full code push. It has been useful on a number of occasions. (source: I patched this one)
Does Facebook usually respond to exploit reports so quickly, or does the fact that the discoverer (Stephen Sclafani) helped Facebook find bugs in previous years mean that his emails were automatically flagged as high-priority?
We try to respond to any exploit of this severity immediately, and will often disable a feature temporarily while working on a fix rather than letting the exploit remain open. It helps a lot when the repro steps are as clear as they were in this one.
Facebook deploys code twice a day. It used to be once a day but as the org grew they decided to double down. They can deploy even more often if there's a "pusher i haz a hotfix" situation like this.
Yeah, I reported a simple security breach in Outlook.com to Microsoft three weeks ago, and it seems they still haven't fixed it yet. Way to go Microsoft.
In the spirit of https://xkcd.com/1053/, I'll assume you haven't heard about the privacy violations, misleading or hard to find control panels, and constant changes to visibility settings leading uninformed users to unwittingly post sensitive information with public visibility.
Facebook (the web app) has its uses and reasons to like it, but there are also lots of reasons not to like it.
- The severity of the exploit, which may be nearly the maximum theoretical possibility on a site like Facebook, aside from SQL injection or remote code execution
- The multiple months worth of unpaid sleepless nights Stephen Sclafani likely spent exploring countless dead-ends before finding this
- The fact that he beat black hats to the punch by discovering it first and thus saved Facebook and its users from millions, perhaps billions, of dollars worth of damages stemming from vague and mysterious causes over an indefinite period of time
- The billions of dollars Facebook regularly uninhibitedly spends to acquire a given startup
Really? 20K is about two months of salary for a Facebook engineer. So even if he did spend months on this like you speculate (he didn't) it's still an industry-leading salary.
Not that I am going to pretend that I know what the dollar value of Sclafani's time/effort should be, but I have a hard time believing that $20,000 is an insult. Just because he could get more money by exploiting the bug -- or showing others how to exploit it -- doesn't necessarily suggest to me that he should get paid more than he did.
That's not totally accurate - sometimes you're exchanging more than just the item in question, for example, putting yourself in danger.
In other words, if you can sell an item for $100k if you follow a set of laws (a government's, an organisation's, a community's, or your own), but you could sell the item without doing so for $500k, the item is still really only worth $100k (to you), but the (physical/societal/moral) danger involved in selling the item illegally that goes with it is not worth $400k to you.
Or, put another way, the item may be valued at $500k (to some potential buyer), but the legal buyer of the item is offering not to put you in danger in exchange for $400k.
I thought $20k was really low. GREAT value for Facebook. In the hands of black hats, trust in Facebook could have been destroyed before they had time to patch the vulnerability.
