I found an XSS on facebook.com and am able to steal httpOnly cookies, now what?

4 points

16 years ago

Back in July, I searched for and discovered a cross-site scripting vulnerability on facebook.com, as well as what I would describe as infrastructure flaws that give me the ability to steal httpOnly authentication cookies used by Facebook. So far I have kept all the details to myself.

What should I do now?

Should I give away 4 days of hard work and disclose the vulnerabilities privately to Facebook?

Should I adopt full-disclosure and release the details concurrently to Facebook and everyone else?

Should I sell my findings to the black market? What is the harm really, beside some more Facebook spam until the flaws are fixed? You can reply to my post using this PGP key: http://article.gmane.org/gmane.test/5884

Should I sell them to legitimate buyers, penetration testers, private investigators, ...? Where are the TippingPoint ZDI or iDefense VCP of web site vulnerabilities?

3 comments