Facebook can and should be held liable for clear failings on the behalf of their security team.<p>Absolutely no backend code should be pushed out that isn't first audited by a security company. God knows they can afford it, and mistakes like this could end up being much more costly to Facebook (stock price, lawsuits, etc).<p>Crap like this makes it clear that not only are critical changes to the security infrastructure at Facebook not at all audited (in-house or outsourced!) for even the most ludicrously-obvious security vulnerabilities, but also that Facebook itself does not take even begin to take security seriously.<p>And this is completely ignoring the fact that it took them five days to acknowledge such a critical issue, which is a further symptom of Facebook's sheer apathy to the security, privacy, and data of their users, both corporations and individuals alike. To think that a company/website like Facebook, containing as private and personal information as Facebook profiles have, and with such incredible monetary and technical resources at its beck and call cannot even triage incoming vulnerability reports correctly makes absolutely zero sense.
Chrome 27.0.1453.116 (for me) says:<p>"Warning: Suspected phishing site!<p>The website at blog.fin1te.net contains elements from sites which have been reported as “phishing” sites. Phishing sites trick users into disclosing personal or financial information, often by pretending to represent trusted institutions, such as banks."<p>The home page doesn't produce this message, even though the linked article is summarized there. Clicking on the article from the home page also produces this message.<p>Nonetheless, very simple yet very clever exploit! I'm sure someone kicked themselves pretty hard over that one.
This is mindbogglingly bad. How did they manage to introduce a dependence on unauthenticated client-side state for such a critical operation in a relatively new feature?<p>If they weren't willing to hit the database to recall the profile_id for the reset operation, it makes me wonder whether the confirmation codes are in fact deterministic, rather than randomly generated.
This root of this bug (exposing profile_id or some user identifier in a hidden field and passing it to the server as a parameter) is incredibly common, and super easy to exploit via <i>inspect element</i>.<p>We have a rails test that we give dev candidates, and red flags go up when we see this happening (which is far more often than I'd like to admit). Kind of scary that there's likely a bunch of production code floating around that is so easily hackable.
Great ingenuity in finding authentication flaws. It's exactly what I told a friend who is learning programming...it's all trial and error.<p>Every time I hear the reward amounts, it entices me to divert my attention to finding bugs and loopholes in systems. :/
This is an incredibly simple (and dangerous) hack, I'm happy to see it was neutralized so soon after being discovered.<p>Also good to see that the finder was amply rewarded for his effort.
Nice.<p>A side note - the SMS confirmation code text should <i>explain</i> what is going to happen when the code is used. Along the lines: "Facebook mobile confirmation code ds3467hj. <i>Note. Entering this code would link this phone to your Facebook account</i>".<p>Otherwise, if the SMS is just "confirmation code ds3467hj" it is overly easy to create a phishing attack which results in the user (striving to get access to some resource, like a magazine article for example) in entering the code on an attacker web site.
This bug shows us, how bad their software really is and that all the PHP crap on their frontend can access every data from every users. If they have had a "middleware" between frontend and database, such kind of bugs weren't possible.<p>Anyone remember the bug as everyone had access to private photos of Marc Zuckerberg?<p><a href="http://www.telegraph.co.uk/technology/facebook/8938725/Facebook-privacy-flaw-exposes-Mark-Zuckerberg-photos.html" rel="nofollow">http://www.telegraph.co.uk/technology/facebook/8938725/Faceb...</a><p>Same auth-bypass shit.