I Hacked into Facebook's Legal Department Admin Panel

669 点作者 hackerpain超过 4 年前

21 条评论

You brilliant guys need to find a way to extract more than $7500 for solutions to problems that less than what, 2%?, of the worlds population can solve.If I were your tech agent I'd demand Facebook pay out $75,000 minimum for this specific problem.

评论 #25403213 未加载

评论 #25402452 未加载

评论 #25402420 未加载

评论 #25402860 未加载

评论 #25403461 未加载

评论 #25405317 未加载

评论 #25403398 未加载

评论 #25402851 未加载

评论 #25404614 未加载

评论 #25406518 未加载

评论 #25412643 未加载

iso8859-1超过 4 年前

First pentester I found with 12k followers on Instagram: <a href="https://www.instagram.com/al_shwele/" rel="nofollow">https://www.instagram.com/al_shwele/</a> but 8 on GitHub: <a href="https://github.com/Alaa-abdulridha" rel="nofollow">https://github.com/Alaa-abdulridha</a>Instagram keeps surprising me...

评论 #25401843 未加载

评论 #25401844 未加载

trav4225超过 4 年前

I've always wondered, aren't these types of bug investigations illegal? Aren't the investigators concerned about criminal prosecution? Not being snarky; I'm asking sincerely.

评论 #25401614 未加载

评论 #25401612 未加载

评论 #25401587 未加载

评论 #25401796 未加载

评论 #25401564 未加载

评论 #25401588 未加载

评论 #25404125 未加载

评论 #25402615 未加载

评论 #25401615 未加载

Dumble超过 4 年前

I find the paragraph where the author described the exploit hard to read.Basically, he triggered the "Password Reset" process and then guessed the reset token?

评论 #25401749 未加载

dang超过 4 年前

Url changed from <a href="https://alaa0x2.medium.com/how-i-hacked-facebook-part-one-282bbb125a5d" rel="nofollow">https://alaa0x2.medium.com/how-i-hacked-facebook-part-one-28...</a>, which points to this.

anonu超过 4 年前

$7500 seems low for this bug. If I were Facebook i would raise it. Why?Cost/benefit analysis tells me I could probably get a lot more for this bug going to some more nefarious actors.$7500 is a drop in the ocean for a company like FB who has a reputation to keep intact.

评论 #25403558 未加载

评论 #25403159 未加载

评论 #25402811 未加载

评论 #25402497 未加载

评论 #25402796 未加载

petters超过 4 年前

How on Earth did this endpoint pass code review at Facebook?The person who wrote it probably was working under the assumption that the calling user was logged in, but still....

评论 #25403183 未加载

评论 #25402957 未加载

评论 #25402833 未加载

评论 #25402787 未加载

评论 #25405199 未加载

z3t4超过 4 年前

Judging my the response letter it seems they think he only managed to reset a password... not setting the password. Will be interesting to read the follow up.

评论 #25406336 未加载

polishdude20超过 4 年前

What is this fuzzing tool you use to get the endpoints?

评论 #25401636 未加载

评论 #25401790 未加载

greatgib超过 4 年前

I'm a little bit disappointed, because from the title I expected a little bit of deep dive into the content of the admin panel.Something like an insight into what kind of secret power or privacy abuse was available to the legal department without the users really realizing.

评论 #25403200 未加载

mherdeg超过 4 年前

It's kinda cool that because this webapp is evidently so little used in public, if you just do a Web search for "facebook tapprd" you're pretty much just gonna find bug bounty writeups ( e.g. <a href="https://medium.com/@amineaboud/story-of-a-weird-vulnerability-i-found-on-facebook-fc0875eb5125" rel="nofollow">https://medium.com/@amineaboud/story-of-a-weird-vulnerabilit...</a> ).

rukshn超过 4 年前

Awesome post. Shameless plug on a similar exploit I found using the browser developer tools on a large scale application <a href="https://github.com/rukshn/rukshn.github.io/blob/master/archives/easter/egg.md" rel="nofollow">https://github.com/rukshn/rukshn.github.io/blob/master/archi...</a>

评论 #25406655 未加载

fareesh超过 4 年前

So in this case he actually changed someone's password - don't they have a policy saying that you have to only do this kind of stuff with your own account or in a sandbox? Or is this exempt because such a thing is not possible since it's internal?

ttsda超过 4 年前

The way the admin panel screenshot is censored is not good as per this post: <a href="https://news.ycombinator.com/item?id=25326450" rel="nofollow">https://news.ycombinator.com/item?id=25326450</a>All those names could be recovered in theory.

ForHackernews超过 4 年前

$7500? Why are these bug bounties so piddling?How much would an exploit like this be worth on the black market? What's the potential loss / liability on Facebook's side? Hundreds of thousands? Millions?

评论 #25401708 未加载

评论 #25401637 未加载

评论 #25402929 未加载

devpbrilius超过 4 年前

Proofreading services.

etxm超过 4 年前

Facebook had better up that payout on the other two vulnerabilities he found.

lqet超过 4 年前

Interesting, but missing words and strange/missing punctuation make this a bit hard to read.

评论 #25401593 未加载

rdtwo超过 4 年前

With that kind of skill you should just be working website and buying PlayStations, shoes and other high demand goods in bulk. You can make moths than 7k per week

评论 #25403446 未加载

zz_throwaway_zz超过 4 年前

How is this possible?Even in my 1 weekend web apps I ensure password reset tokens are secured against their user and token type, but Facebook, a $720,000,000,000 company, can't do it for their ADMIN site?

评论 #25403172 未加载

atum47超过 4 年前

well, I wasn't gonna to comment about this subject, but here we go: I find this value ($7,500.00) kind of low for a discovery like this.The other day, someone shared a link to an app [1] that estimastes how much a only fan user makes. I got tell, it got to me. I was never money orientated and I don't plan to become; but seeing how much someone makes by being naked in front of a web cam vs a software engineer salary is kinda sad.some of the only fans users makes in a month what a plain SE would make in a year. besides the fact that there are some serious wrong thing with the world, I thought this kind of skill would be more rewarded. Giving the fact that you could exploit this vulnerability to make a lot more money (or am I mistaken?).1 - <a href="https://news.ycombinator.com/item?id=25393191" rel="nofollow">https://news.ycombinator.com/item?id=25393191</a>

评论 #25401928 未加载

评论 #25402200 未加载

评论 #25403476 未加载

评论 #25401940 未加载