Stephen Sclafani @Stephen Twitter profile

Pinned Tweet

Stephen Sclafani

@Stephen

10 years

Hacking Facebook’s Legacy API, Part 1: Making Calls on Behalf of Any User ($20,000 bounty) http://t.co/ibrHHcm4KK

38

70

97

Last Seen Profiles

@Danchick_

@m__as___

@helenaprestes

@Cattyx_04

@tcseducations

@GoodGamesSK

@McCamaryy

@5WGgN241j962315

@hoangtheduc1234

@ddawerd1

@Omi_Garfito

@RariCapital

@INOUE_MIYUKI

@Double_shuiCD

@Anggreq

@BazelonCenter

@TopekaKSam

@jandakembangstw

@NightmareReape4

@als71732501

@TYoinked

@zenga1602

@VexTxs

@justlexmodel

@hay392606262

@illucidz

@LivU_Videochat

@TheLastMohicans

@X_indo_

@KasihLudah

@BKKBOYY69

@bokeplokalmalam

@YangonDaddy

@HarmonyRow2007

@ZamanAmrizal

@yangyangjimo

Stephen Sclafani

@Stephen

7 years

Going to post a writeup of this soon (I promise).

12

37

179

Stephen Sclafani

@Stephen

7 years

Stealing Login Nonces

Messenger

Hang out anytime, anywhere - Messenger makes it easy and fun to stay close to your favorite people.

www.messenger.com

6

91

136

Stephen Sclafani

@Stephen

8 years

. @phwd I'll try to stop being lazy and do a writeup on this sometime soon.

3

13

44

Stephen Sclafani

@Stephen

7 years

No problem getting an iPhone X through Verizon's site.

9

10

29

Stephen Sclafani

@Stephen

10 years

I probably should write a blog post on this Facebook bug bounty from December. #lazy http://t.co/8pMyOezrQh

6

13

29

Stephen Sclafani

@Stephen

9 years

Finally heard from United that my bounty submission was accepted (500,000 miles). cc: @NealPoole http://t.co/HJtIZMQTVI

3

5

19

Stephen Sclafani

@Stephen

10 years

Hacking Facebook’s Legacy API, Part 2: Stealing User Sessions http://t.co/Drk5po5b7W

0

18

19

Stephen Sclafani

@Stephen

7 years

Got to hold on posting the writeup for another week while Facebook fixes some related issues.

2

1

15

Stephen Sclafani

@Stephen

7 years

@JosipFranjkovic Five of my reports were Oculus related but I missed this one. Nice find ;)

1

0

11

Stephen Sclafani

@Stephen

11 years

Obtaining The Primary Email Address Of Any Facebook User http://t.co/HoeVOTkDwM

0

16

9

Stephen Sclafani

@Stephen

9 years

Anti-ride-sharing ad from a local black car service: three guys in a bar, one gets a ping from an Uber-like app, stumbles out drunk.

0

12

1

Stephen Sclafani

@Stephen

9 years

The new Facebook HQ has an office that's also a ball pit. http://t.co/RKDP1xIuaw

1

3

7

Stephen Sclafani

@Stephen

10 years

"After reviewing the bug details you have provided, our security team has determined that you are eligible to receive a payout of $6000."

0

1

6

Stephen Sclafani

@Stephen

9 years

Reported a couple bugs to the Western Union bounty program. Waiting on responses. Haven't bothered with other programs than FB in a while.

0

5

Stephen Sclafani

@Stephen

10 years

Back in 2008 I found a XSS in Facebook's ads themselves. I wonder how much they would reward for that today (a lot).

0

1

4

Stephen Sclafani

@Stephen

10 years

When a company launches a bounty program and multiple critical bugs are reported day one it says a lot about the companies without programs.

1

0

5

Stephen Sclafani

@Stephen

10 years

So far two of my reports to Microsoft have qualified for bounties. Waiting on amounts.

1

0

4

Stephen Sclafani

@Stephen

7 years

@prakharprasad @Nirgoldshlager reading Nir's OAuth writeups is what inspired me to start looking for these types of issues.👍

0

4

Stephen Sclafani

@Stephen

10 years

Should have bought that snow blower... http://t.co/LE5ZL2McPd

0

8

4

Stephen Sclafani

@Stephen

10 years

On top

0

4

Stephen Sclafani

@Stephen

10 years

@Bitquark Nice. Microsoft pays well for XSS, $2,500 for one on Yammer (reflected). One on http://t.co/79szd38pWL should pay more.

2

0

4

Stephen Sclafani

@Stephen

10 years

@Bitquark This might be relevant http://t.co/KvxvCUml0r

0

3

Stephen Sclafani

@Stephen

10 years

XSS question: Can you break out of a function without using {}? cc: @avlidienbrunn @0x6D6172696F @orenhafif

2

0

2

Stephen Sclafani

@Stephen

10 years

@Stephen This was my second largest bounty ever (the largest being http://t.co/zT2riFtPQR).

0

3

Stephen Sclafani

@Stephen

8 years

@ericflo There's a personalized recommended feed, usually shows good suggestions for me:

1

0

2

Stephen Sclafani

@Stephen

10 years

Interesting that Twitter displays your join date on the new profile. Other than bragging rights for early adopters, is that useful info?

0

3

Stephen Sclafani

@Stephen

10 years

I alerted Verizon in Oct. to broken/missing auth (was poss. to reset any user's pass). Fixed, but others still exist http://t.co/49eQDrYAno

0

2

Stephen Sclafani

@Stephen

8 years

@samhouston Reckful is right now

1

0

3

Stephen Sclafani

@Stephen

6 years

@TheStalwart

1

0

2

Stephen Sclafani

@Stephen

10 years

. @fin1te You sniped me this time last year. It's not going to happen again :)

0

1

Stephen Sclafani

@Stephen

9 years

@fmanjoo Seems obvious that it will be an option.

0

2

Stephen Sclafani

@Stephen

11 years

@dozba http://t.co/kP1uy6jleC

0

1

Stephen Sclafani

@Stephen

8 years

@MikeIsaac Old: The Omen (1976 version) New: Babadook

0

2

Stephen Sclafani

@Stephen

9 years

@thegrugq @homakov Probably only few people making anything close to $30k/month from web bounties.

0

1

Stephen Sclafani

@Stephen

13 years

"Kimble was arrested yesterday, his panic-room door busted down by officials, who found the hacker clinging to a sawed-off shotgun."

0

2

Stephen Sclafani

@Stephen

9 years

@fmanjoo I'm not sure why people think that Twitter is going to replace the chronological timeline with the algorithmic timeline.

1

0

2

Stephen Sclafani

@Stephen

8 years

@real_1x0123

0

2

Stephen Sclafani

@Stephen

10 years

@homakov

0

2

Stephen Sclafani

@Stephen

10 years

@kevinroose This video does a good job explaining why

0

1

2

Stephen Sclafani

@Stephen

9 years

A lot of awesome moments in The Force Awakens

1

8

1

Stephen Sclafani

@Stephen

11 years

Doing over 100 Mbps on my new Optimum modem. http://t.co/ZGAseekGN2

Speedtest by Ookla - The Global Broadband Speed Test

Use Speedtest on all your devices with our free desktop and mobile apps.

www.speedtest.net

1

0

2

Stephen Sclafani

@Stephen

10 years

No problems preordering an iPhone 6+ through Verizon.

0

1

Stephen Sclafani

@Stephen

14 years

@Scobleizer It looks like Meebo picked the wrong day to launch their checkin feature. Everybody is talking about Path.

0

2

Stephen Sclafani

@Stephen

10 years

@nikcub Here's a list of the top retweets if you're curious: http://t.co/nI5WBGFh2E (lots of celeb tweets with six-figures).

1

0

2

Stephen Sclafani

@Stephen

10 years

@fmanjoo Because many of those followers aren't seeing your posts due to Facebook's news feed algorithm.

0

2

Stephen Sclafani

@Stephen

8 years

@samhouston summit is trying to also but it looks like he's having connection issues

1

0

2

Stephen Sclafani

@Stephen

10 years

@ErrataRob Yeah, surge areas are shown on their map http://t.co/hQaqlDPgVw

0

1

2

Stephen Sclafani

@Stephen

8 years

@samhouston Xbox Live is down.

1

0

2

Stephen Sclafani

@Stephen

11 years

@stevekovach @CalebGarling Probably the use of the word "snoots" gave you away.

0

1

Stephen Sclafani

@Stephen

11 years

@0x6D6172696F http://t.co/DnBdqBM6FM

0

1

Stephen Sclafani

@Stephen

10 years

@troyhunt highlight.js

GitHub - pc035860/angular-highlightjs: AngularJS directive for syntax highlighting with highlight.js

AngularJS directive for syntax highlighting with highlight.js - pc035860/angular-highlightjs

github.com

0

2

Stephen Sclafani

@Stephen

9 years

@homakov @thegrugq Yeah, the end game for bounties is for someone to give you a full time job.

3

0

2

Stephen Sclafani

@Stephen

9 years

@anildash @hunterwalk 's proposal looks more and more inevitable http://t.co/qU6qMzimCR

Reinvent the Movie Theater: wifi, outlets, low lights, second screen experience

Update 8/5: Wrote a response to the unexpected interest & negativity to my proposal Update 8/8: Thanks to actor Elijah Wood for explaining why he disagrees with this idea; also to Anil Dash who…

hunterwalk.com

0

2

Stephen Sclafani

@Stephen

10 years

. @ErrataRob Not from Sydney, but this is what drivers see when pinged to accept a fare during a surge. http://t.co/ewjMghKA8j

1

0

2

Stephen Sclafani

@Stephen

10 years

@Agarri_FR @Zigoo0 Facebook and Google are the only two programs that I've used that reliably pay 4/5 figure bounties for serious issues.

0

2

Stephen Sclafani

@Stephen

10 years

@isaach @ladymisskate Owned by a Lamborghini dealer in Miami. He rents it out. Someone's been driving it around SF the last couple weeks.

0

1

Stephen Sclafani

@Stephen

15 years

@SlideShare_Dan I sent you an email.

0

1

Stephen Sclafani

@Stephen

10 years

@homakov I use Burp. If you install its CA certificate in your browser you wont get warnings or broken requests. http://t.co/DZrTduqf2R

0

1

Stephen Sclafani

@Stephen

13 years

Google+ is a pretty good social network for people to talk about Google+ on.

1

0

1

Stephen Sclafani

@Stephen

10 years

@arrington Probably a good buying opportunity.

0

Stephen Sclafani

@Stephen

11 years

@parislemon It premiered during the Colts-Patriots game. I wonder how much a 60-second commercial during the playoffs costs.

0

1

Stephen Sclafani

@Stephen

10 years

@homakov @agelastic Don't link to your HN submissions from Twitter or from your blog. Direct votes actually count against you.

1

0

1

Stephen Sclafani

@Stephen

8 years

@LIRIK It's always high noon somewhere.

0

1

Stephen Sclafani

@Stephen

9 years

CRISPR is a real big deal http://t.co/NJYboPxlLb

The Genome Engineering Revolution | TechCrunch

Over the years, the debate surrounding the ethics of genome engineering research and applications has cultivated a sense of fear among us that societies depicted in movies like Gattaca, or the book...

techcrunch.com

0

4

1

Stephen Sclafani

@Stephen

9 years

@tqbf @lyon01_david When a host cancels an automatic review is added to their listing indicating the cancelation:

Leaving a review after your Host canceled - Airbnb Help Center

If your Host cancels your reservation there are a couple of review options available.

www.airbnb.com

1

0

1

Stephen Sclafani

@Stephen

15 years

@securitytwits Clickjacking & OAuth. http://tinyurl.com/cs6xcl

0

1

Stephen Sclafani

@Stephen

12 years

@theharmonyguy There's some good answers on Quora regarding SF.

0

Stephen Sclafani

@Stephen

10 years

@homakov @agelastic More explanation:

0

1

Stephen Sclafani

@Stephen

12 years

The Apparition currently has a 0% rating on Rotten Tomatoes http://t.co/OvJlJI81

The Apparition | Rotten Tomatoes

Plagued by frightening occurrences in their home, Kelly (Ashley Greene) and Ben (Sebastian Stan) learn that a university's parapsychology experiment produced an entity that is now haunting them. The...

www.rottentomatoes.com

0

1

Stephen Sclafani

@Stephen

10 years

@PaulWebSec You shouldn't. Along with Google's, Facebook's is one of the best run programs. They have the highest payouts as well, IMO.

0

1

Stephen Sclafani

@Stephen

15 years

@arrington You should give The Wire more of a chance. Watching just the first episode of any show rarely gives one the feel of the show.

0

1

Stephen Sclafani

@Stephen

13 years

Finally getting around to playing Tales of Monkey Island

0

1

Stephen Sclafani

@Stephen

14 years

@Jason I'm enjoying TWiVC. Funding announcements tend to read like press releases. Good to hear some honest opinions.

0

1

Stephen Sclafani

@Stephen

11 years

It's looking like Star Trek 2009 ($75m) will have had a better opening weekend than Into Darkness ($70.5m).

0

1

Stephen Sclafani

@Stephen

9 years

@NealPoole Waiting on one myself. Reported around the same time as @psifertex . Hope to hear something soon.

1

0

1

Stephen Sclafani

@Stephen

9 years

@SteveD3 @McGrewSecurity You're welcome :)

0

1

Stephen Sclafani

@Stephen

9 years

@samhouston Those of us on the East Coast are a bit less excited thanks to the coming blizzard :)

0

1

Stephen Sclafani

@Stephen

11 years

@dozba You'd probably find this interesting: http://t.co/BOdMkEYyjf

0

1

Stephen Sclafani

@Stephen

15 years

No one was injured in the explosion or fire. What the cause was I don't know.

0

1

Stephen Sclafani

@Stephen

9 years

@fransrosen Yes, you could. The penalty is added even if you aren't the submitter.

1

0

1

Stephen Sclafani

@Stephen

11 years

Pacific Rim was a good movie about giant robots fighting giant monsters interspersed with humans speaking bad dialogue.

0

2

1

Stephen Sclafani

@Stephen

10 years

@ErrataRob University of Leicester posted a video today of how they came to that conclusion

Richard III – The DNA Analysis & Conclusion

Dr Turi King and Professor Kevin Schϋrer discuss the findings of the genetic and genealogical analysis in the King Richard III case. This includes coverage o...

www.youtube.com

0

1

Stephen Sclafani

@Stephen

9 years

@McGrewSecurity @SteveD3 It doesn't make any sense for RSA to use this flow over the normal OAuth flow.

1

2

1

Stephen Sclafani

@Stephen