Yeah. In the 1 day timeframe between temp and permanent fix you could not upload resume, which is a breaking change for end users.

But, I think it was pushed because it was Sunday and Careers team was not on site to properly/permanently fix the bug.

Well, they had to figure out what was going on with software from a 3rd party vendor. That likely adds overhead.

But hey, I'd break all kinds of functionality temporarily to make sure this exploit - which as is explained, looked worse than it ended up being, wasn't actually as bad as (or worse than) it did look.

I agree with this, too. Personally, I would probably do the same. A day of breaking small part of site vs killing local file read seems like a good trade.

Great bug, congratz!

I saw that request when going through iphone.facebook.com, but never tried anything there... I assume it worked on all x/mobile/m/touch/iphone.facebook.com?

It worked on the Facebook mobile sites that use the touch UI (x/touch/iphone but not m).

Just added timeline for the report on blog.

I agree with this - yet BB programs are still very successful. Why? Because not everyone who knows about websec has a job in the field. The second thing is, $500 as a minimum reward may seem small in 1st world countries, but in the rest it is close to the average monthly pay.

Redirect URL when you give access to Facebook is different for other email providers. Hotmail (that is, Outlook) is the only one that worked as far as I know - I have tested Gmail and yahoo, but neither of them were exploitable (there is also chance I missed something, so it is worth checking again).

You can read about all kinds of bugs and "bugs" I found in bounty programs on my old blog, too http://josipfranjkovic.blogspot.com/

Actually I waited until we pushed Pyxio website on-line. Since I am not native English speaker, what would be best replacement for current title?

"Post-mortem" is usually appended to titles for solved vulnerabilities, although this was 2 months ago. Maybe just timestamp it? e.g. "Facebook CSRF leading to full account takeover (Post-mortem, August 2013)"

That would imply that the Post-Mortem itself was written in August 2013, which would probably get far fewer clicks as people assume they've read about the vulnerability before.

12,500$. (More than)Good enough for me, takes a year of work on average salary to get this much money in my country.

Congrats. This is exactly how responsible disclosure is supposed to work. You spend valuable time looking for holes and when you find one they fix it quickly and compensate you for your trouble.

That's awesome. Congrats to making the money, and raising the issue correctly - as well as not going off of the ethical deep end.

Out of curiosity, how much time did you spend on this?

I spend 4-5 hours a week hunting for bugs.

The "session" I found this bug in was around 2 hours long.

Were you able to do this all with the dummy accounts that Facebook provides for the Bug Bounty program or did any steps require a genuine account? Just curious as I always wonder whether there are bugs that affect genuine accounts and not dummy accounts or vice-versa.

That's awesome.

Also sounds like you should maybe try to move to a different country, if you can!

He'd probably be better off staying where he is and courting customers in the US and UK. The combination of a low cost of living and a metropolitan income (or as close as possible) is a splendid combination.

Probably worth $500k to government actor.