Author

Topic: . (Read 1709 times)

newbie
Activity: 28
Merit: 1
.
February 09, 2011, 08:12:08 PM
#10
Maybe he sold the vulnerability to someone else, and wants to cover his tracks.
Good luck with that...

This must be interesting to people who use Facebook or any 'social' website.  I don't use Facebook or the such.
donator
Activity: 826
Merit: 1060
February 09, 2011, 04:58:00 PM
#9
Maybe he sold the vulnerability to someone else, and wants to cover his tracks.
full member
Activity: 157
Merit: 104
February 09, 2011, 04:50:28 PM
#8
security maybe? maybe you should remove your quote as a show of good faith.
full member
Activity: 126
Merit: 100
February 09, 2011, 04:15:18 PM
#7
Ummm....   Why did mrb all of a sudden delete the thread title and the original post?!!

Does anyone find that a bit suspicious and/or odd?    Huh

Doesn't matter as he was quoted saying the original text anyway.
newbie
Activity: 10
Merit: 0
February 09, 2011, 04:10:23 PM
#6
EDITED by talkinrock
newbie
Activity: 3
Merit: 0
February 09, 2011, 01:14:03 AM
#5
Quote
>XSS vulnerability on facebook.com 10000 BTC
Warning: topic may be controversial. I am a security researcher. I found a cross-site scripting vulnerability on facebook.com which I decided to sell for 10k BTC.

You will get exclusivity.
It is not known by anyone else.
It is the result of 30+ hours of research.
It has never been "used" other than in my tests.
It was discovered months ago and is still working.

Technical details
Entice a user authenticated to Facebook to browse a specially crafted link "http://...facebook.com/...". My non-persistent XSS will allow you to execute arbitrary javascript code under her identity, read/modify her profile, etc.

My goals
Raise awareness that even high-profile sites are rarely secure. And perhaps push Facebook a little bit toward accepting the idea that buying vulnerabilities from security researchers would be good for them and the Internet community. Just like Google buys vulnerabilities from researchers, which has tremendously helped secure their online apps in the last few months.

Excellent google cache got it :-)

From his discription it doesnt sound like what is explained in that blog post... He said its a "non-persistent XSS" , enticing a user to run javascript in their browser is not XSS.
full member
Activity: 126
Merit: 100
February 06, 2011, 11:46:39 PM
#4

You will get exclusivity.
It is not known by anyone else.
It is the result of 30+ hours of research.
It has never been "used" other than in my tests.
It was discovered months ago and is still working.


http://blog.cartercole.com/2010/06/social-engineering-crazy-encoding.html

Is this what you speak of?
legendary
Activity: 1232
Merit: 1076
January 30, 2011, 05:01:41 AM
#3
you could get a lot more for this 0-day vulnerability. you should find a trusted forum member, pay them 30 btc to verify it's real and then put it up in an auction.
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
January 30, 2011, 03:59:35 AM
#2
If anyone goes for this use clearcoin.
mrb
legendary
Activity: 1512
Merit: 1028
January 30, 2011, 02:36:24 AM
#1
.
Jump to: