[vvanders]

Damn, the amount of user trust they just burned by closing that with "as designed, won't fix" is staggering.

[stakecounter]

Yeah, I read through the post and (assuming I'm parsing it right) can't figure out why this hasn't caused a massive shitstorm already. Are they actually arguing that it's not a security bug because it's necessary for them to implement a 'one click sign in through Google' feature?

[varenc]

Likejacking Facebook likes has been around for 8+ years, leaks a similar amount of information, and there’s no big shitstorm. Not sure what the big difference between YOLO and FB’s like button are?

[stakecounter]

I was wondering whether this is actually the same as like jacking. Is the ‘leak’ in that case the ability for the Facebook page/post owner to be able to then look you up in the list of ‘likes’? If so, I think Facebook privacy settings may allow users to not leak their emails or pictures in this case.

Also, I think it’s more widespread given that ‘Google identity’ covers a large number of Google products, and signing into one signs into all. With Facebook any time I log in nowadays I open incognito, check messages, log out, whereas with Google I generally stay logged in, mostly because I want gmail and my cross device browsing history to work.

[bobross]

To me Likejacking is more like harvesting organic likes. And YOLO leaks email address which is PII.

[qaq]

Do you get user's email from FB’s like button? (edit typo)

[mirimir]

Basically, yes.

[harpiaharpyja]

That's insane.

[laurent123456]

Yet they silently blocked his website from using this API thus acknowledging it's actually an issue.

[jacquesm]

Shoot the messenger. SOP.

Maybe someone should tip off Google project Zero about this? Let's see if they mean it that they will hold themselves to the same standard.

[pred_]

Looks like they took it down for everyone [0]; maybe not the most elegant approach but at least it seems they're taking it more serious now.

[0]: https://stackoverflow.com/questions/50289065/google-yolo-sto...

[jacquesm]

It would be very interesting to see a split second exact timeline on this.

[pred_]

Indeed. A Google engineer stated on Twitter [0] that the shutdown of the service happened because apparently YOLO is only supposed to be accessible to whitelisted partners.

[0]: https://twitter.com/sirdarckcat/status/994867632355577862

[jacquesm]

So, whitelisted partners get the ability to rip your data?

I'm sure that will go down just fine. FB just got into a lot of trouble over something like that (arguably a lot more serious, but still).

[eganist]

Sounds like a fix.

By the terms of the VRP it sounds like the reporter is owed a payout.

[kerng]

Bounty deserved, yes. Fixed? No, they only blocked his address, anyone else can still grab your info on their sites.

[lallysingh]

Looks like it's blocked for everyone now

[Buge]

It's blocked for people who aren't on the whitelist.

[kerng]

That is interesting, do you have more info? I'd imagine the whitelist being quite enormous!

[acqq]

Exactly. If it was about "just whitelisted partners" he discovered it was actually "everybody." It's not different than discovering that instead of the password just an empty string is enough.

[mirimir]

Well, that did protect users from his site, at least :)

[ComodoHacker]

They're burning developers and potential employees trust in the first place. This "we don't know how to fix it ==> not a bug" attitude is what's staggering.

[harpiaharpyja]

To me it shows a gross indifference to being dishonest even when speaking in an official capacity.

I want to say that I hope this is isolated and not a systemic part of their company culture but at this point I can't help but be cynical after this.

[jacquesm]

This keeps happening over and over again. I remarked the other day that the most feared words when reporting a serious bug are 'won't fix'. It is super annoying. If the feature can't be made to work safely then drop the feature.