Father-Daughter Hacking Team Finds Valuable Facebook Bug

The Wysopal name has been on vulnerability advisories for better than 20 years now, and it doesn’t look like that is going to end anytime soon. But the name on those advisories in the future may be Renee rather than Chris Wysopal.

Chris, one of the founding member of the L0pht hacking collective and now the CTO and CISO at Veracode, helped shape the way that vulnerabilities were reported to vendors and disclosed to users and has been a part of some of the industry wide efforts to define disclosure guidelines and vendor responses. While at @stake, Wyspoal and the rest of the research team were at the forefront of the movement that sought to pressure vendors into working closely and honestly with security researchers who disclosed bugs to them.

Now, his daughter Renee is following in his footsteps. During a summer internship at Veracode, Renee, a sophomore at Trinity College in Hartford, Conn., took part in the company’s annual hackathon, a days-long event in which all employees are encouraged to participate and work on a hacking project. Renee, who was working in the human resources department, decided to work with her dad on a project to find a vulnerability that would qualify for Facebook’s bug bounty.

“I’d seen on Twitter that Facebook would pay a bounty, so I immediately of doing something with my dad and he said we should do it together since I’m in college and Facebook is very prevalent in my age group and my dad is a hacker, so we thought it would be fun to bring it together,” she said.

Because Renee was a security neophyte, they started at the beginning. Chris began by showing her what he would do to tackle a Web app like Facebook.

“I started by showing her how to use a Web proxy and view source and then modify the different parameters outside of the Web interface so you could attack the Web app,” Chris said. “So she went off started thinking about where there could be a bug and she gravitated to one of the hairier parts of Facebook, which is the privacy and permission model.”

So Renee began tinkering with the Facebook app and within a few days she started to focus on the feature that enables users to block other users from their pages. It’s a much-used privacy feature and the idea is to allow users to keep people they’re no longer interested in interacting with from being able to post messages on their profiles. Renee happened to notice that there were a bunch of messages on her page from someone she had blocked some time ago.

“I thought there must be some kind of weakness there,” she said, “if Facebook was still allowing her to have her name all over my profile. I think I figured it out the next day. I read all about the Facebook white hat program and they ask you to use test accounts. I was using a test account, so once that worked I was excited but i thought maybe it was just a flaw in the test account.”

She then tested it out on a friend’s account and found that it still worked. After blocking herself on her friend’s account, she was still able to get messages through to her friend’s account. So, with the help of her dad, Renee wrote up the vulnerability report and submitted it to Facebook’s bug bounty program in August. By the time she found the bug, tested it and submitted the report, the Veracode hackathon was nearly over and it was time for Renee and Chris to deliver their report on what they’d achieved. But they didn’t yet have an answer from Facebook on whether the bug qualified for a bounty.

“It was disappointing because we had to give a report and we hadn’t gotten a reply yet,” Renee said. “All we could say was, we submitted this report. At some point they said, we’ll get back to you later.”

Later turned out to be more than two months, but when the answer came, it was good news: Renee’s find had earned her a $2,500 reward from Facebook.

“It was definitely a surprise. I went back to school and sort of forgot about it and was just focused on school,” she said. “I definitely thought I wasn’t going to find anything, but I figured my dad would.”

Renee, who hasn’t declared a major yet but is leaning toward political science, said she really didn’t have a good idea of what her dad did when she was younger.

“I just always remember him being in his home office on his computer typing weird characters. Even when I was six or seven, I’d ask what he was doing and he’d say he was hacking. I had no idea what that was,” she said. “It was probably only in the last few years that I realized how cool the stuff he did was, after reading his Wikipedia page. He’s pretty modest about it.”

So has her foray into hacking sold her on following her dad’s path?

“For now I think it’s a one and done type thing because it’s such a frustrating process. In some ways I feel like I got lucky to find that,” she said.

 

Suggested articles