WingNews logo WingNews GitHub [2]

franjkovic's comments

franjkovic | 9 years ago | on: Stealing Facebook access_tokens using CSRF in device login flow

>how many hours did you spend researching this?

Two to three hours discovering and writing the initial report, couple more hours (unsuccessfully) trying to escalate it using pre-approved apps.

>I think $5,000 is a joke

This is still $5,000 more than I would get reporting a similar bug to 99.999% of companies, and I am OK with the bounty. Here is good comment on the topic of bug bounty rewards: https://news.ycombinator.com/item?id=11249173

franjkovic | 9 years ago | on: Stealing Facebook access_tokens using CSRF in device login flow

The bug was reported on December 8th, 2015 and fixed on February 18th, 2016 which is an unusually long time for Facebook. The bounty reached my account during the middle of March, but Facebook has recently changed their bounty payment processor to Bugcrowd, and now they have weekly payments.

franjkovic | 10 years ago | on: Bug Bounty Ethics

I'd say it does.

Not interact with other accounts without the consent of their owners.

Edit: whoops I mis-read this a bit, but the point still stands - he escalated using AWS keypair that did not belong to him, and he had no consent of the owner.

franjkovic | 11 years ago | on: Race conditions on Facebook, DigitalOcean and others (fixed)

Facebook puts out stats from their bug bounty program once a year. Most of bugs are invalid reports - in 2013 they had 14,763 reports, with 687 being valid.

(https://www.fb.com/818902394790655)

They probably got a couple people working exclusively on bug bounty reports. I also have to say they did a great job changing communication channels from emails to tickets which show in /support/, it is way easier now. The downside is that you must have a Facebook account, not sure if it was needed before the change.

franjkovic | 11 years ago | on: Reading local files from Facebook's server (fixed)

HN, I am wondering about your thoughts on the $5500 bounty. This is a bug that affected third party system on Facebook's servers, and the network was locked down. I could have gained access to resume analysis software and maybe resume uploads themselves. There was a small to none chance I could get Facebook internal code or binaries. So, was the bounty enough?

franjkovic | 11 years ago | on: Reading local files from Facebook's server (fixed)

Yeah. In the 1 day timeframe between temp and permanent fix you could not upload resume, which is a breaking change for end users.

But, I think it was pushed because it was Sunday and Careers team was not on site to properly/permanently fix the bug.

franjkovic | 12 years ago | on: Facebook bug bounty: secondary damage bugs and fairness

I agree with this - yet BB programs are still very successful. Why? Because not everyone who knows about websec has a job in the field. The second thing is, $500 as a minimum reward may seem small in 1st world countries, but in the rest it is close to the average monthly pay.

franjkovic | 12 years ago | on: Facebook CSRF leading to full account takeover (fixed)

Redirect URL when you give access to Facebook is different for other email providers. Hotmail (that is, Outlook) is the only one that worked as far as I know - I have tested Gmail and yahoo, but neither of them were exploitable (there is also chance I missed something, so it is worth checking again).
page 1
more