Facebook patched flaw within 9hours - XML Cross Domain
On March 25, 2014, Facebook announced that it had agreed to buy Oculus VR for $400 million in cash, $1.6 billion in Facebook stock, and an additional $300 million subject to Oculus VR meeting certain financial targets in a transaction expected to close in the second quarter of 2014.
Since 2012, Oculus website has been in the bug bounty scope for Facebook Bug Bounty at facebook.com/whitehat. The security researcher, Paulos Yibelo discovered a sever flaw in the developers portal of the website (developers.oculus.com), the site was using incorrectly configured crossdomain file that could allow cross domain reads. In a less technical term, that means the ability to read the contents of any HTML file using the victim’s sessions by a simple CSRF exploit.
Advanced Persistent Threat Golden_hands - Digital Bank Robbery of the Year 2020
Facebook Security - 12.500$ Bug Bounty reward to Security Researcher
Bug Bounty Program Award Winners 2014 - Exclusive Interview by Microsoft & PayPal
Shopify | Buy Button | Persistent Embed POST Inject Vulnerability