Doesn't this show just how crappy the backend permissions must be in Facebook's code? Every new page needs to get the permissions checks exactly right, otherwise... Disaster. As an analogy, It's like the most stupidly-designed UNIX system, where each user program that opens a file runs as root and must remember to do a permissions check when opening a file, rather than centralising the permissions system in the kernel.<p>No-one would accept such a shoddy design in an OS, yet in today's web apps it is apparently standard practice...
It is quite saddening that there is a recent trend of hiding the complete URL from the user when the URL itself conveys much information. When the URL is hidden the user is not given the incentive to look at the URL, let alone modify it. This kind of bug should have been discovered much sooner when the user is given the opportunity to directly look at the URL and experiment with it.
Mobile would be great for taking this kind of approach to bug hunting.<p>Especially since Android just launched a (proper) bug bounty program [0]. A ton of old problems are new again on Android, especially due to the fact a significant percentage of the OS stuff is being re-implemented in Java (IPC, sandboxing, etc). The more I dig into it the more I'm convinced very few people are conducting serious security reviews outside of Google.<p>Take this bug as an example: <a href="http://seclists.org/fulldisclosure/2014/Nov/81" rel="nofollow">http://seclists.org/fulldisclosure/2014/Nov/81</a> An apk with system privileges (the settings app) would accept IPC messages from any unprivileged app and relay them with system privileges.<p>[0] <a href="http://techcrunch.com/2015/06/16/google-launches-bug-bounty-program-for-android-with-rewards-up-to-8000/" rel="nofollow">http://techcrunch.com/2015/06/16/google-launches-bug-bounty-...</a>
I've been wanting to start doing bug bounties for a while now, but I have only been able to find serious bugs in sites <i>without</i> bug bounty schemes. I was starting to think that it would be impossible to get any bug bounties because of the number of people searching, but this post gives me some confidence.
Can anyone comment on when is a good time to start a bug bounty program?<p>I have some clients with relatively small scale (small budget) projects. Is it better to post a bounty program on HackerOne? Or force them to budget to hire a security researcher consultant for a day to find high-level issues? Or both?