Nir Goldshlager has found ways to gain unauthorized access to Facebook accounts. He has hacked the social network more than 100 times and even wrote a recent post called “How I Hacked Any Facebook Account… Again!”. But Nir is one of the good guys, known as the “white hat” hackers, and helps Facebook improve its security. Actually, he saved Facebook twice this year.
Goldshlager discovered a major security breach in Facebook’s OAuth authentication protocol for external services, that would allow hackers to take control of accounts. Facebook covered the breach but then Goldshlager discovered a second major problem in the corrected code.
He said it takes him around five hours to find a Facebook bug.
It looks like Facebook owes Goldshlager big time!
“Even after they repaired the hole I managed to take over accounts through two parallel channels,” Goldshlager said. “One was by sending a link directly to a user, taking advantage of the hole and gaining access to accounts, and injecting code to masses of data that many users access.”
“Users would have no way of knowing that I had accessed their account. I was able to access all personal information, including private pages with statistics, content, friends lists, etc.”
Two years ago, Facebook launched its “bug bounty program” which pays independent researchers to report security flaws in the social-networking site. The program encourages the “white hat” hackers to find and report bugs so that Facebook can fix them before the “black hat” hackers exploit them for malicious purposes.
Facebook pays a minimum of $500 for valuable information, so long as the hacker is the first to report the bug and agrees not to disclose it until after the company has fixed it. Goldshlager declined to say how much money he has made from Facebook’s bug bounty program.
“Let’s just say a good amount,” he said.
Goldshlager has tested computer security systems for some of the biggest companies in the world, including Google and Paypal. For the second year in a row, he is the No. 1 name in Facebook’s security “hall of fame,” featured on a page thanking hackers “for making a responsible disclosure to us, on behalf of over a billion users.” Goldshlager also appeared on the list in 2011, in second place.
Nir Goldshlager was born on May 19, 1985. The 27-year-old Israeli researcher is a staff member at the Israeli cyber-security firm Avnet. He is Founder/CEO of Break Security. He has also worked in:
– Web Application Penetration Test Expert at Avnet at Avnet Technologies
– Web Application Penetration Test Expert at Avnet at Avnet (January 2010 – February 2013, and 2006 – 2009)
– Security Research at Imperva (2009 – 2010)
– Security Manager at Ewave (2004 – 2006)
Besides being Top Whitehat Hacker in Facebook, he’s got special mention in Google Security Sustained Support List, helped PayPal patches Critical Security Vulnerabilities, found eBay Security Vulnerabilities, and discovered Hundreds of Banking Sites Vulnerable to RSA Security Flaw.