>XSS vulnerability on facebook.com 10000 BTC
Warning: topic may be controversial. I am a security researcher. I found a cross-site scripting vulnerability on facebook.com which I decided to sell for 10k BTC.
You will get exclusivity.
It is not known by anyone else.
It is the result of 30+ hours of research.
It has never been "used" other than in my tests.
It was discovered months ago and is still working.
Technical details
Entice a user authenticated to Facebook to browse a specially crafted link "http://...facebook.com/...". My non-persistent XSS will allow you to execute arbitrary javascript code under her identity, read/modify her profile, etc.
My goals
Raise awareness that even high-profile sites are rarely secure. And perhaps push Facebook a little bit toward accepting the idea that buying vulnerabilities from security researchers would be good for them and the Internet community. Just like Google buys vulnerabilities from researchers, which has tremendously helped secure their online apps in the last few months.
Excellent google cache got it :-)
From his discription it doesnt sound like what is explained in that blog post... He said its a "non-persistent XSS" , enticing a user to run javascript in their browser is not XSS.
