Facebook gives UK man $20k for discovering security flaw

[darubio]

Facebook has rewarded a British man with $20,000 (£13,000) after he found a bug which could have been exploited to hack into users' accounts.

Jack Whitton, a security researcher, discovered a flaw in the social network's text messaging system.

Facebook thanked Mr Whitton, who is part of the site's "responsible disclosure" hall of fame.

The company, like many on the web, encourages experts to report bugs to them rather than cybercriminals.

To make it worth their while, rewards are offered of varying amounts depending on the severity of the flaw.

Such programmes are known as "bug bounties", with similar schemes being run at the likes of Microsoft, Paypal and Google.

"Facebook's White Hat programme is designed to catch and eradicate bugs before they cause problems," Facebook told the BBC.

"Once again, the system worked and we thank Jack for his contribution."

The bug, which has now been fixed, allowed Mr Whitton to spoof Facebook's text message verification system into sending a password reset code for an account that was not his.

Using this, he could go to Facebook, reset a target user's password, and access the account.

http://www.bbc.co.uk/news/technology-23097404

------------------------------------

At least he'll be 13k richer than many of us here

 

[Hyburnate]

13k*

Good on him though, not worth much to criminals though.

 

[fez]

13k*

Good on him though, not worth much to criminals though.

Really? I would have thought this could we worth a huge amount of money. Getting into anyone facebook account wouldn't be of some use or value to people. Thats ignoring the amount of damage it could do to people trust in the system.

£13,000 is absolute peanuts for this.

 

[arknor]

lol 13k..

even ocuk were willing to pay 10k during the DDOS attacks.

The damage that guy could have done could have been huge or anyone with malicious intentions that discovered it

 

[zyfar]

Agreed, absolute peanuts for this. Anyone with the right tools could have exploited this and certainly given facebook a bad image. A company with Facebooks integrity could be damaged if something was to be exploited in such a manner.

 

[scrlk]

http://www.google.co.uk/about/appsecurity/reward-program/

Same as Google then.

To be honest, who would pay 20k for this on the black market any way?

The real money is probably in zero day exploits for operating systems.

 

[Devrij]

Access to accounts means access to personal private messages. That's quite sensitive information for some people, not to mention the cost in terms of loss of advertising revenue if users start leaving the site due to lack of trust. I'd say £13k is about right.

 

[jakehall109]

13k seems like a small amount for a large bug. 50K i think would be a decent amount as a starting point

 

[panyan]

I dont think that $20k is inciting enough to deter people from selling/using the exploit for illegal gains

obviously it depends on the persons principles, but i would have thought 50k or 100k for a major exploit

 

[Judgeneo]

I dont think that $20k is inciting enough to deter people from selling/using the exploit for illegal gains

obviously it depends on the persons principles, but i would have thought 50k or 100k for a major exploit

Thats the sort of money you would get on the black market. IRC a good IOS exploit would bag you $250k or so.


If your willing to use the exploit yourself you can bag a lot more. Big money in cyber crime.


In that regard, £13k doesn't sound like much, but the guy who found it was a security researcher. Any black mark on his record would ruin his career, so the big money is unavailable to him and I expect £13k would be quite welcome

 

[Something Else]

OCUK had DDOS attack?

 

[Hyburnate]

Bringing OcUK down with a DDoS attack for even one hour would loose them a lot of revenue hence why they would pay for it.

I think the only real damage this could do to Facebook would be its stocks, anybody that has confidential material, and sends it via Facebook deserves to be hacked.

 

[ince]

Nice one

 

[KIA]

What illegal gains can you make from getting access to a person's Facebook account? And you have to factor in the $20k is legal money, so not directly comparable to $20k of illegal earnings.

Identify theft & authentication to name two.

 

[estebanrey]

Identify theft & authentication to name two.

What details are on someone's Facebook account that aren't wildly available from plenty of other sources? It doesn't store your bank details, it doesn't store your exact address. In fact I'd say Facebook was one of the worse places to look for ID theft, you'd get a lot more just by going through bins.

What does Facebook authenticate?

 

[darubio]

OCUK had DDOS attack?

This and when was this?

 

[Tefal]

I dont think that $20k is inciting enough to deter people from selling/using the exploit for illegal gains

maybe not but it's probably enough to persuade people who wouldn't know how/want to engage in illegal acts but who are very technically gifted to start looking for the bugs.

so now you have bag guys looking for them to exploit them and good guys looking for them to be rewarded.

Hopefully the latter find them before the former finds them and implements a method to gain from it.

 

[MooMoo444]

Pretty poor from Facebook. £1,300,000 wouldnt have been enough to cover up the damage this could have caused. All he gets is 13k?

 

[Tefal]

What illegal gains can you make from getting access to a person's Facebook account?

well it's not one it's potentially millions.

so

phone numbers
email accounts
personal details

from many probably enough to steal identities/make lists of emails or phone numbers to sell on to others.

 

[isonomicjedi]

What are theses securitys floors?

Is it like Tom Cruise in Mission Impossible when a bead of sweat or pen or something dropped to the floor?