This Bug Hunter Made $2,500 with a Bug Report That Took Him 2.5 Minutes and No Testing Tools
Facebook has paid a security researcher $2,500 for reporting an information disclosure bug that took him less than 3 minutes to discover without any testing or proof of concept, or any other time-consuming processes. This vulnerability was exposing details of Facebook page administrators through a new feature that Facebook was testing.
In his report, security researcher Mohamed Baset says that he received an email from the social network inviting him to like a page that he had previously visited and liked a post on. While he hadn’t liked the page itself, through this feature Facebook was enabling page admins to target visitors who had interacted with any of their page content but hadn’t liked the page yet.
A simple “show original” on this invitation email allowed Baset to see that Facebook was exposing page administrators’ details. Looking at the email’s source code, he noticed that it included the name along with other details of the page administrator.
While this bug wasn’t any devastating, mind blowing discovery, Baset describes it as a logical error. Facebook informed him that he will be receiving $2,500 for this information disclosure issue that took Baset a couple of minutes to discover thanks to the simple “show original” drop-down menu option in email.
This latest Facebook bug report proves that hackers not only need technical skills, but more often than not also need to have a hacking and hunting mentality that enables them to spot problems in the obvious but easy-to-miss places.
Facebook continues to attract much of the white hat hacking community; the social networking giant recently announced that it paid over $880,000 in bug bounties last year, bringing its total rewards to over $6,300,000.