15.8 C
London
Friday, August 18, 2017
Home Tags Brute Force

Tag: Brute Force

Attackers leveraged popular cloud service platforms to conduct persistent - and stealthy - login attempts on corporate Office 365 accounts.
Two words: Sweet 2FA Comment  Just under 90 Parliamentary email accounts were compromised by a brute force attack on the parliamentary network over the weekend.

And there is a long-established technology which can normally see off this kind of attack.…
Brute force attack on weak passwords, cracked <90 email accounts The Parliament of the United Kingdom has admitted it experienced a “sustained and determined cyber attackrdquo; over the weekend and says <90 email accounts have been compromised as a result.…
Hajime (meaning ‘beginning’ in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks.
In this blogpost we outline some of the recent ‘improvements’ to Hajime, some techniques that haven’t been made public, and some statistics about infected IoT devices.
A researcher claims that almost 200,000 shoddily made IP cameras could be an easy target for attackers looking to spy, brute force them or steal their credentials.
Google's vast cloud computing infrastructure was harnessed to demonstrate that it is possible to crack the Secure Hash Algorithm-1 cryptographic function through a brute force computational methods.
In other words, crypto ransomware is a fine tuned, user friendly and constantly developing ecosystem. In the last few years we, at Kaspersky Lab, have been monitoring the development of this ecosystem. This is what we’ve learned.
Let me check my Rolodex... T for Travel Agent ... Legacy travel booking systems disclose travellers’ private information, security researchers warn. Travel bookings worldwide are maintained in a handful of Global Distributed Systems (GDS) built around mainframe computers linked to the web but without adequate security controls, say the researchers. “The systems have since been interwoven with web services, but still lack several web security best practices,” according to researchers from German security firm Security Research Labs. The three largest travel booking systems - Amadeus, Sabre, and Travelport - administer more than 90 per cent of flight reservations as well as numerous hotel, car, and other travel bookings. All three systems use a booking code (aka PNR Locator, a 6-digit alphanumeric string such as 8EI29V) to access and change travellers’ information. This authenticator is printed on boarding passes and luggage tags. The firm claims anybody able to find or take a photo of the pass or tag can theoretically access the traveller’s information – including email address and phone number – through the GDS or an airline’s website. Traveller information is also at risk of hacking because authentication strings can be vulnerable to brute-force attacks, say the researchers. Two of the three main GDSes assign booking codes sequentially, further shrinking the search space needed for a brute force attack. Airlines and GDS systems fail to block IP addresses after a large number of unsuccessful booking attempts, claims the firm. “Given only passengers’ last names, their bookings codes can be found over the Internet with little effort,” the researchers conclude. Obtaining a booking code opens the door to all manner of abuse, the researchers claim. The booking overview typically contains contact information such as phone number, email, postal address, travel dates and preferences, and often passport information. Worse yet, most airlines allow flight changes - some even cancellations for a voucher - potentially allowing hackers to steal flight credits and travel for free. By changing the frequent flyer information in the booking, a fraudster can steal miles without taking any flights. Lastly, knowing details of a booking that has just been made – which is possible in GDSes that use sequential booking codes – creates a launchpad for hackers to target travellers for social engineering, asking for their payment info or frequent traveller credentials, claims the firm. El Reg invited Amadeus, Sabre, and Travelport to comment on the research. In a statement, Amadeus said it was reviewing the findings. Amadeus is assessing the findings of the research on travel industry security, and we have upgraded security to our own properties. We give the security of customer systems and data the highest priority and our systems and processes are under continuous review. We will take these findings into account and work together with our partners in the industry to address the issues that have been exposed here and seek solutions to potential problems. Travelport offered a generic statement (below) saying that it takes security seriously without commenting on the specifics of Security Research Labs’ research. Cyber security and the privacy of customer data are critical priorities for Travelport and an area in which we invest extensively in and lead in. As such, we make ongoing investments in our own systems, and also engage with the various industry bodies we participate in, to implement any changes recommended in support of the general digital travel booking ecosystem. In recognition of our focus in this area, earlier this year, we were the first GDS to be certified for ISO 27001 compliance, an industry standard acknowledging our commitment to responsibly manage both our data and that of our customers worldwide. We’ve yet to hear back from Sabre. “Global booking systems have pioneered many technologies including cloud computing,” the researchers conclude. “Now is the time to add security best practices that other cloud users have long taken for granted.” “In the short-term, all websites that allow access to traveller records should require proper brute-force protection in the form of CAPTCHAs and retry limits per IP address,” they add. Details of the research were presented at the 33C3 conference last week, in a talk entitled Where in the World Is Carmen Sandiego?: Becoming a secret travel agent (slide deck, pdf). A 60-minute video of the presentation can be found here. ® Sponsored: Customer Identity and Access Management
Whether quantum computing is 10 years away or is already here, it promises to make current encryption methods obsolete, so enterprises need to start laying the groundwork for new encryption methods. A quantum computer uses qubits instead of bits.

A bit can be a zero or a one, but a qubit can be both simultaneously, which is weird and hard to program, but once folks get it working, it has the potential to be significantly more powerful than any of today's computers. And it will make many of today's public key algorithms obsolete, said Kevin Curran, IEEE senior member and a professor at the University of Ulster, where he heads up the Ambient Intelligence Research Group. That includes today's most popular algorithms, he said.

For example, one common encryption method is based on the fact that it is extremely difficult to find the factors of very large numbers. "All of these problems can be solved on a powerful quantum computer," he said. He added that the problems are mostly like with public key systems, where the information is encoded and decoded by different people.
Symmetric algorithms, commonly used to encrypt local files and databases, don't have the same weaknesses and will survive a bit longer.

And increasing the length of the encryption keys will make those algorithms more secure. For public key encryption, such as that used for online communications and financial transactions, possible post-quantum alternatives include lattice-based, hash-based, and multivariate cryptographic algorithms as well as those that update today's Diffie-Hellman algorithm with supersingular elliptic curves. Google is already experimenting with some of these, Curran said. "Google is working with the Lattice-based public-key New Hope algorithm," he said. "They are deploying it in Chrome where a small fraction of connections between desktop Chrome and Google's servers will use a post-quantum key-exchange algorithm.

By adding a post-quantum algorithm on top of the existing one, they are able to experiment without affecting user security." Flexibility is key Some future-proof encryption algorithms have already been developed and are now being tested, but enterprises need to start checking now whether their systems, both those that they have developed themselves and those provided by vendors, are flexible enough to allow old, obsolete algorithms to be early replaced by new ones. Fortunately, according to Curran, there are already algorithms out there that seem to be workable replacements and that can run on existing computers. One company that is paying very close attention to this is Echoworx, which provides on-premises and cloud-based enterprise encryption software. Quantum computing will break all of today's commonly used encryption algorithms, said Sam Elsharif, vice president of software development at Echoworx.

Encryption that today's most sophisticated computer can break only after thousands of years of work will be beaten by a quantum computer in minutes. "This is obviously very troubling, since it's the core of our business," he said. "Echoworx will be in trouble -- but so will all of today's infrastructure." Since longer keys won't work for public key encryption and companies will need to replace their algorithms, the encryption technology needs to be modular. "It's called cryptographic agility," he said. "It means that you don't hard-wire encryption algorithms into your software, but make them more like pluggable modules.

This is how software should be designed, and this is what we do at Echoworx ." Once post-quantum algorithms have been tested and become standards, Echoworx will be able swap out the old ones with the new ones, he said. "You will still have a problem with old data," he said. "That data will either have to be destroyed or re-encrypted." Hardware-based encryption appliances will also need to be replaced if they can't be upgraded, he said. Don't worry, it's still a long way off How soon is this going to be needed? Not right away, some experts say. "The threat is real," said Elsharif. "The theory is proven, it's just a matter of engineering." But that engineering could take 10, 15 or 20 years, he said. Ulster University's Curran says that quantum computers need to have at least 500 qubits before they can start breaking current encryption, and the biggest current quantum computer has less than 15 qubits. "So there is no immediate worry," said Curran. However, research organizations should be working on the problem now, he said. "We may very well find that we do not actually need post-quantum cryptography but that risk is perhaps too large to take and if we do not conduct the research now, then we may lose years of critical research in this area." Meanwhile, there's no reason for an attacker to try to break encryption by brute force if they can simply hack into users' email accounts or use stolen credentials to access databases and key files. Companies still have lots of work to do on improving authentication, fixing bugs, and patching outdated, vulnerable software. "Many steps need to be taken to tighten up a company’s vulnerability footprint before even discussing encryption," said Justin Fier, director of cyber intelligence and analysis at Darktrace. In addition, when attackers are able to bypass encryption, they usually do it because the technology is not implemented correctly, or uses weak algorithms. "We still have not employed proper protection of our data using current cryptography, let alone a future form," he said. "Quantum computing is still very much theoretical," he added. "Additionally, even if a prototype had been designed, the sheer cost required to build and operate the device within the extreme temperature constraints would make it difficult to immediately enter the mainstream marketplace." No, go right ahead and panic Sure, the typical criminal gang might not have a quantum computer right now with which to do encryption. But that's not necessarily true for all attackers, Mike Stute, chief scientist at security firm Masergy Communications. There have already been public announcements from China about breakthroughs in both quantum computing and in unbreakable quantum communications. "It's probably safe to say that nation states are not on the first generation of the technology but are probably on the second," he said. There are even some signs that nation states are able to break encryption, Stute added.
It might not be a fast process, but it's usable. "They have to focus on what they really want," he said. "And bigger quantum computer will do more." That means that companies with particularly sensitive data might want to start looking at upgrading their encryption algorithms sooner rather than later. Plus, there are already some quantum computers already on the market, he added. The first commercial quantum computer was released by D-Wave Systems more than a year ago, and Google was one of its first customers. "Most everyone was skeptical, but they seem to have passed the test," said Stute. The D-Wave computer claims to have 1,000 qubits -- and the company has announced a 2,000-qubit computer that will be coming out in 2017. But they're talking about a different kind of qubit, Stute said.
It has a very limited set of uses, he said, unlike a general-purpose quantum computer like IBM's which would be well suited for cracking encryption. IBM's quantum computer has five qubits, and is commercially available. "You can pay them to do your calculations," he said. "I was able to do some testing, and it all seems on the up and up.
It's coming faster than we think." Related video: This story, "Prepare now for the quantum computing revolution in encryption" was originally published by CSO.
The security used for travel bookings worldwide is very poor and open to abuse. Booking a flight has become a simple process thanks to the Internet, and once you have flights secured you can relax, right? Well, for the most part that's true. Your sea...
EnlargeCary Bass-Deschenes reader comments 3 Share this story As a tumultuous 2016 draws to a close, one case distilled contemporary law enforcement, terrorism, encryption, and surveillance issues more than any other: the case popularly known as “FBI vs.

Apple.” The ordeal began on February 16 when a federal judge in Riverside, California, ordered Apple to help the government unlock and decrypt the seized iPhone 5C used by Syed Rizwan Farook.

Farook had shot up an office party in a terrorist attack in nearby San Bernardino in December 2015. Specifically, United States Magistrate Judge Sheri Pym mandated that Apple provide the FBI a custom firmware file, known as an IPSW file, that would likely enable investigators to brute force the passcode lockout currently on the phone, which was running iOS 9.

This order was unprecedented. Apple refused, and the two sides battled it out in court filings and the court of public opinion for weeks. But the day before they were set to argue before the judge in Riverside, prosecutors called it off.

They announced that federal investigators had found some mysterious way to access the contents of Farook’s phone, but provided hardly any details.
In April 2016, Ars reported that the FBI paid at least $1.3 million for a way to access the phone.

But getting into the phone seems to have resulted in little, if any, meaningful benefits. The underlying legal issue remains unresolved.
In May 2016, FBI Director James Comey noted that the government would likely bring further legal challenges in the near future.

The law is clearly struggling to keep up with the current realities of encryption.

These issues impact not only national security cases, but also more run-of-the-mill crimes. In short, many of the most profound questions of our time have yet to be resolved.

These include: what measures can the government take in order to mitigate encryption? What tools can the government employ in order to conduct legitimate investigations? Can a person or a company be compelled to hand over a password or fingerprint to unlock a phone or create new software to achieve that end? In years past, Ars has tried to predict what privacy-related cases would reach the Supreme Court.

Given that our track record has been abysmal, we’re going to take a slightly different approach this year.

Today, we’ll update the five surveillance-related cases that we thought would become huge in 2016.

Tomorrow, we’ll expand our outlook to include other important legal cases still ongoing in 2017 that touch on important tech issues. Not exactly an angel on top Case: United States v. MohamudStatus: 9th US Circuit Court of Appeals rejected appeal in December 2016 As with last year, we’ll begin with the story of a terrorism suspect who was convicted of attempting to blow up a Christmas tree lighting ceremony in Portland, Oregon, in 2010.

That case involved a Somali-American, Mohamed Osman Mohamud, who became a radicalized wannabe terrorist. Mohamud believed that he was corresponding with an Al-Qaeda sympathizer, and he was eventually introduced to another man who he believed was a weapons expert.

Both of those men were with the FBI. Mohamud thought it would be a good idea to target the ceremony on November 27, 2010. He was arrested possessing what he believed was a detonator, but it was, in fact, a dud. Earlier this month, the 9th US Circuit Court of Appeals rejected an effort to overturn Mohamed Osman Mohamud’s conviction on the grounds that the surveillance to initially identify the suspect did not require a warrant. Mohamud went to trial, was eventually found guilty, and was then sentenced to 30 years in prison. After the conviction, the government disclosed that it used surveillance under Section 702 of the FISA Amendments Act to collect and search Mohamud's e-mail.
Seeing this, Mohamud’s legal team attempted to re-open the case, but the 9th Circuit disagreed. As the 9th Circuit ruled: "The panel held that no warrant was required to intercept the overseas foreign national’s communications or to intercept a U.S. person’s communications incidentally." From here, Mohamud and his legal team could ask that the 9th Circuit re-hear the appeal with a full panel of judges (en banc), or they could appeal up to the Supreme Court.
If either court declines, the case is over, and the ruling stands. Slowly turning wheels of justice Case: United States v. HasbajramiStatus: Appeal pending in 2nd US Circuit Court of Appeals Similar to Mohamud, another notable terrorism case revolves around Section 702 surveillance.

As we reported at this time last year, Hasbajrami involves a United States person (citizen or legal resident) accused of attempting to provide support for terrorism-related activities.

According to the government, Agron Hasbajrami, an Albanian citizen and Brooklyn resident, traded e-mails with a Pakistan-based terror suspect back in 2011.

The terror suspect claimed to be involved in attacks against the US military in Afghanistan.

After he was apprehended, Hasbajrami pleaded guilty in 2013 to attempting to provide material support to terrorists. After he pleaded guilty, the government informed Hasbajrami that, like with Mohamud, it had used Section 702 surveillance against him, and the case was re-opened. Many cases that have tried to fight surveillance have fallen down for lack of standing. Hasbajrami’s case is different, however, because he can definitively prove that he was spied upon by the government. As his case neared trial in mid-2015, Hasbajrami pleaded guilty a second time.

But shortly thereafter, he moved to withdraw the plea again, which the judge rejected.
So the case progressed to the 2nd US Circuit Court of Appeals. Earlier this year, when we expected to see Hasbajrami’s first appellate filing, his new lawyers filed an application with the judge.

They asked that the case be held “in abeyance,” which essentially puts a kind of stay on the appeals process.

The 2nd Circuit agreed. The reason? Because US District Judge John Gleeson, then the judge at the lower-court level, issued a classified opinion “which directly relates to and impacts the issues to be raised on appeal.” United States v. Hasbajrami was delayed when Judge Gleeson stepped down from the bench in late February. While Judge Gleeson’s opinion was released (in a redacted form) to the defense attorneys, by September, defense attorneys argued again in filings to the new judge that they possess adequate security clearance and should be given access to this material, unredacted. As they wrote: In that context, the government repeatedly fails—in its argument as well as the authority it cites—to distinguish public release of the redacted portions from providing security-cleared defense counsel access to that material. Here, all Mr. Hasbajrami seeks is the latter.

Thus, the dangers of dissemination beyond to those already authorized to review classified information simply do not exist, and the government’s contentions with respect to national security serve as a red herring. The most recent entry in either the appellate or district court docket is an October 31 filing.
In it, defense attorneys inform the 2nd Circuit that they are still waiting for Chief US District Judge Dora Irizarry to rule on receiving the unredacted version. One of Hasbajrami’s attorneys is Joshua Dratel.

Dratel is famous for having defended (and still defending) Ross Ulbricht, the convicted mastermind behind the Silk Road drug marketplace website. The Free Encyclopedia Case: Wikimedia v. NSAStatus: Appeal pending in 4th US Circuit Court of Appeals Of course, Section 702 is just one of many ways the government is conducting surveillance beyond its intended target. Wikimedia v. NSA is one of several cases that has tried to target the “upstream” setup that allows the NSA to grab data directly off fiber optic cables. Wikimedia, which publishes Wikipedia, filed its case originally in March 2015.
In it, the company argues that the government is engaged in illegal and unconstitutional searches and seizures of these groups’ communications. But, in October 2015, US District Judge T.S.

Ellis III dismissed the case. He found that Wikimedia and the other plaintiffs had no standing and could not prove that they had been surveilled.

That action largely echoed a 2013 Supreme Court decision, Clapper v.

Amnesty International
. The plaintiffs filed their appeal to the 4th US Circuit Court of Appeals immediately.
In their February 2016 opening brief, which was written by top attorneys from the American Civil Liberties Union, they argue essentially that Wikipedia traffic had to have been captured in the National Security Agency’s snare because it’s one of the most-trafficked sites on the Internet. They wrote: In other words, even if the NSA were conducting Upstream surveillance on only a single circuit, it would be copying and reviewing the Wikimedia communications that traverse that circuit.

But the government has acknowledged monitoring multiple internet circuits—making it only more certain that Wikimedia’s communications are being copied and reviewed. Moreover, the NSA’s own documents indicate that it is copying and reviewing Wikimedia’s communications.

Taken together, these detailed factual allegations leave no doubt as to the plausibility of Wikimedia’s standing. The government, for its part, countered by saying that the 4th Circuit should uphold the district court’s ruling. Why? Because, as it argued in April 2016, Wikimedia’s argument is largely speculative. ... the facts do not support plaintiffs’ assumption that Wikimedia’s communications must traverse every fiber of every sub-cable such that, if the NSA is monitoring only one fiber or even one sub-cable, it still must be intercepting, copying, and reviewing Wikimedia’s communications. Beyond that, the government continued, even if Wikimedia’s communications were intercepted, the plaintiffs have not demonstrated how they have actually been injured, because a large portion of the NSA’s interception is done by machine. The government continued: Indeed, plaintiffs’ complaint generally fails to state a cognizable injury because, whatever the nature of the particular communications at issue, plaintiffs have made no allegation that interception, copying, and filtering for selectors involve any human review of the content of those communications. The two sides squared off at the 4th Circuit in Baltimore on December 8, 2016 for oral arguments.

A decision is expected within the next few months. Fast food, fast crimes Case: United States v.

Graham
Status: Decided en banc at 4th US Circuit Court of Appeals, cert petition filed to Supreme Court This case was a big hope for many civil libertarians and privacy activists.

An appeals court had initially rejected the thorny third-party doctrine and found that, because the two suspects voluntarily disclosed their own location to their mobile carrier via their phones, they did not have a reasonable expectation of privacy. But in May 2016, the 4th US Circuit Court of Appeals, in an en banc ruling, found in favor of the government.

The court concluded that police did not, in fact, need a warrant to obtain more than 200 days' worth of cell-site location information (CSLI) for two criminal suspects. As the court ruled: The Supreme Court may in the future limit, or even eliminate, the third-party doctrine.

Congress may act to require a warrant for CSLI.

But without a change in controlling law, we cannot conclude that the Government violated the Fourth Amendment in this case. This case dates back to February 5, 2011 when two men robbed a Burger King and a McDonald’s in Baltimore.

Ten minutes later, they were caught and cuffed by Baltimore City Police officers.

Eventually, Aaron Graham and Eric Jordan were charged with 17 federal counts of interstate robbery, including a pair of fast food robberies and another one at a 7-Eleven.

They also received charges for brandishing a firearm in furtherance of the crime. A Baltimore City Police detective first sought and obtained a search warrant for the two cell phones recovered during a search of the getaway car. Prosecutors later obtained a court order (a lesser standard than a warrant) granting disclosure of the defendants’ CSLI data for various periods totaling 14 days when the suspects were believed to have been involved in robberies.

The government next applied for (and received) a second application to another magistrate judge for a new set of CSLI data, covering a period of July 1, 2010 through February 6, 2011 (221 days). In August 2012, Graham and Jordan were found guilty on nearly all counts.

They were sentenced to 147 years in prison and 72 years, respectively. Meghan Skelton, Graham’s public defender, has filed an appeal with the Supreme Court, which has not yet decided whether it will hear the case. Who is the Dread Pirate Roberts? Cases: United States v. Ulbricht and United States v.

Bridges
Status: Appeals pending in 2nd US Circuit Court of Appeals, 9th US Circuit Court of Appeals, respectively While Section 702 surveillance and cell-site location information are important, there was one defendant who was defeated largely by snatching his laptop out of his hands: Ross Ulbricht.

The young Texan was convicted as being Dread Pirate Roberts, the creator of the notorious online drug market Silk Road. Later on in 2015, Ulbricht was given a double life sentence, despite emotional pleas from himself, his family, and friends for far less. 2016 kicked off with Ross Ulbricht’s formal appeal to the 2nd Circuit.

Ars described it as a “170-page whopper that revisits several of the evidentiary arguments that Ulbricht's lawyer made at trial.” These included theories that Ulbricht wasn’t Dread Pirate Roberts, and it attributed digital evidence found on Ulbricht’s computer to “vulnerabilities inherent to the Internet and digital data,” like hacking and fabrication of files.

According to the appeal, these “vulnerabilities” made “much of the evidence against Ulbricht inauthentic, unattributable to him, and/or ultimately unreliable.” Plus, corrupt federal agents Shaun Bridges and Carl Mark Force tarnished the case against Ulbricht, claimed his lawyer.

That lawyer is Joshua Dratel, who makes his second appearance on this list. The government responded with its own 186-page whopper on June 17, 2016.

After a lengthy recap of the entire case, United States Attorney Preet Bharara opened his arguments with a notable flaw in Ulbricht’s logic: But nowhere, either below or here, has Ulbricht explained, other than in the most conclusory way, how the corruption of two agents—who neither testified at his trial nor generated the evidence against him—tended to disprove that he was running Silk Road from his laptop. In short, the government argues, Ulbricht was caught red-handed, and the appeals court should uphold both the conviction and the sentence. The following month, federal prosecutors in San Francisco unsealed new court documents that make a strong case that former agent Bridges stole another $600,000 in bitcoins after he pleaded guilty. By August 2016, Bridges’ lawyer Davina Pujari filed what she herself said was a “legally frivolous” appeal to the 9th Circuit on behalf of her client, and she asked to be removed from the case.

Bridges’ case remains pending at the appellate level, and no oral arguments have been scheduled. (Pujari is still Bridges’ lawyer for now.) Bridges remains a prisoner at the Terre Haute Federal Correctional Institute in Indiana, where he is scheduled for release in 2021. Later in August, Ars chronicled the saga of how a San Francisco-based federal prosecutor joined forces with a dogged Internal Revenue Service special agent to bring Bridges and Force to justice. Meanwhile, Ulbricht’s lawyers, led by Joshua Dratel, faced off at the 2nd Circuit against federal prosecutors on October 6, 2016 to challenge Ulbricht’s conviction and sentence.

The court is expected to rule within the next few months.
Christmas came early for Facebook bug bounty hunter Tommy DeVoss who was paid $5,000 this week for discovering a security vulnerability that allowed him to view the private email addresses of any Facebook user. “The hack allowed me to harvest as many email addresses as I wanted from anybody on Facebook,” DeVoss said. “It didn’t matter how private you thought your email address was – I could of grabbed it.” DeVoss said on Thanksgiving Day he discovered the vulnerability and reported it to Facebook via its bug bounty program.

After weeks of going back and forth verifying what the exact bug was and how it was exploited, Facebook said it would award him $5,000 for the discovery.

And on Tuesday it did. The bug was tied to the user-generated Facebook Groups feature that allows any member to create an affinity group on the social network’s platform.

DeVoss discovered as an administrator of a Facebook Group he could invite any Facebook member to have Admin Roles via Facebook’s system to do things such as edit post or add new members. Those invitations were handled by Facebook and sent to the invited recipient’s Facebook Messages inbox, but also to the Facebook user’s email address associated with their account.
In many cases users choose to keep their email addresses private.

DeVoss discovered, despite privacy settings set by Facebook members, he was able to gain access to any Facebook user’s email address whether he was Friends with them or not. DeVoss found when he cancelled pending invitations to those invited to be Facebook Group Administrators there was a glitch. “While Facebook waits for the confirmation, the user is forwarded to a Page Roles tab that includes a button to cancel the request,” he said. Next, he switched to Facebook’s mobile view of the Page Roles tab. Here DeVoss was able to view the full email addresses of anyone he wanted to cancel from becoming a Facebook Group Administrator. “I noticed that when you clicked to cancel the administrator invitation on the mobile page, you were redirected to a page with the email address in the URL,” he said. “Now all you have to do is pluck the plaintext version of the confidential email address straight from the URL.” The impact of this vulnerability could be diverse, he wrote in a blog post outlining his discovery. “Harvesting email addresses this way contradicts Facebook’s privacy policy and could lead to targeted phishing attempts or other malicious purposes.” Facebook confirmed the hack and said it has no evidence the vulnerability was ever misused.

Facebook said it has implemented a fix to prevent the issue from being exploited. DeVoss, a software developer in Virginia, said this is the largest bug bounty payment he has ever earned. He told Threatpost he participates in a number of bug bounty programs including Yahoo’s and the Hack the Pentagon program. For its part, in October Facebook announced it has paid out more than $5 million to 900 researchers in the five years since it implemented its bug bounty program.

The company said it paid out $611,741 to 149 researchers in the first half of 2016 alone. Facebook was one of the first websites to launch a bug program when it followed in the footsteps of both Mozilla and Google in August 2011. In February, the company paid $10,000 to a 10-year-old boy from Finland after he discovered an API bug in the image sharing app Instagram, which Facebook bought for $1B in 2012. The company awarded $15,000 to Anand Prakash in March for a bug allowed him to crack open any of Facebook’s 1.1 billion accounts using a rudimentary brute force password attack.