Facebook Don't Care About Their Users Again

Several years ago, a researcher found a vulnerability in Facebook and he informed the official and provided with the PoC in full details when asked. Later, the researcher was told that it was not vulnerable. The researcher then exploited the founder of Facebook account with the vulnerability that he found in order to alert the founder. However, the researcher could not get his bug bounty at the end and the vulnerability was fixed by Facebook then. Some Facebook users knowing that, they then funding the researcher themselves as they thought that the researcher need the reward.



Today, another researcher, teh3ck (Twitter @teh_h3ck) found a open-redirect vulnerability and Facebook has been informed. However, tech3ck was informed that "the security impact of this bug is not significant" and refused to pay the bug bounty. The following is the timeline of the bug report :



12th of Nov 2015 | Initial bug report

12th of Nov 2015 | Reply from FB bot that it is false positive

12th of Nov 2015 | Added more clarification for the bug

16th of Nov 2015 | Reply from facebook that they use a blacklist method on their next_uri

16th of Nov 2015 | Sent POC videos of the bug that show the impact of the vulnerability

18th of Nov 2015 | Reply from facebook that i am redirecting to a non blacklisted site

18th of Nov 2015 | Explaining why url blacklisting is not the solution for the specific bug

26th of Nov 2015 | Reply from fb that security impact of this bug is not significant.

6th of Dec 2015 | Public post of the bug



For details, please refer to Vag Mour site.



In conclusion, Facebook and her security team are suck again.



That's all! See you.



Update :



After teh3ck and this article posting several hours, Facebook fixed the vulnerability without giving teh3ck any bug bounty. My recommendation is not to report to Facebook if you find something else on it. You will never never never get the bug bounty for sure.