Skip to content

Full disclosure of facebook bugbusters app security vulnerabilities

A bit of overview about BugBusters

BugBusters is a facebook app launched by uTest which is a crowd-sourcing community for software testing. This game is a flash game and to look at the game or play the game please visit http://apps.facebook.com/bugsbusters/?ref=ts

 

This game was launched as a contest which had 3 prizes being first prize as iPad and other 2 prizes as Digital Cameras.

 

What happened after I discovered the security vulnerabilities?

This game was already live and I could see lot of activity from the users around the globe. Once I found this, I quickly documented the report with the necessary details which could help uTest or the development vendor to fix it.

 

Once the report was ready, I contacted VP of Marketing Mr. Matt Johnston and Mr. Peter Shih who is a community manager via e-mail. They responded quickly with interest to look into the details. Thanks to Matt for introducing the development company to whom I reported these bugs (The development company name is: Blonde20 – http://blonde20.com/).

 

Those security vulnerabilities were fixed within the same week I reported them. Thanks to Blonde20 folks for fixing it very soon. The fix was not including the details like Score, Profile ID, profile Name etc. in the POST_DATA form. Once they fixed it I tried reproducing it and could not reproduce the same however, I did not explore for more vulnerabilities for the new fix if there were any because I got busy for the BugDeBug conference and other tasks.

 

This is all good but, where is full disclosure? Well, I have it for you here.

 

I did not win the game but, at least for me I am the top most winner and have a feeling of winning billion dollars. I wish all the security testers, researchers, newbie (ethical) hackers to learn from my findings and help the web community to protect from the bad guys out there.

SanthoshTuppad

I have been as a software tester for over 5 years. I am a hands-on tester and I've been winning bug battles & testing competitions across the world. I am a testing enthusiast, who conducts free workshops on security testing across India (Covered locations: Bengaluru, Pune, Hyderabad & Chennai. Invite him to come to your location), and monthly meets for testers in Bengaluru. I am also an avid testing blogger.

My interests include traveling, driving my SUV, health & fitness and many others. I mentor budding entrepreneurs, testers, teams in any profession.

Latest posts by SanthoshTuppad (see all)

Share/Bookmark

2 Comments

  1. Deepak KJ wrote:

    Hi Santhosh,

    Its nice to see because you have helped the actual gamers to play and win in the game. Testing rocks!!!!!

    Thanks,
    Deepak

    Tuesday, March 27, 2012 at 12:32 am | Permalink
  2. Badhurudeen wrote:

    I have gone through your bug report. It is shows how hacker’s(ethical:))would think. Really it is awesome.

    Tuesday, March 27, 2012 at 2:37 am | Permalink

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*