Responses
To avoid exposing our identities, here we selectively post some responses from the vendors. We are working aggressively with all the vendors involved in confirmed attacks, doing our best to help them fix their design flaws.
Facebook and Twitter have confirmed our findings. Facebook will award us $9,500 ($7,500+$2,000) and Twitter will award us $1,120, which is an evidence of XAWI’s high impacts.
Amazon
Amazon has confirmed our findings and fixed the vulnerabilities.
1. Remote Privilege Escalation
Facebook has confirmed this vulnerability and will award us $7500.
2. Remote Deep Phishing
Facebook has just acknowledged that the remote deep phishing is novel and realistic, awarding us $2,000 for the finding. Their long-term solution apparently is in line with the defense idea we proposed (providing lightweight alerts to the user when possible). We will continue to work with them to address this emerging challenge.
Baidu
The vulnerability has been confirmed and fixed.
Twitter has confirmed the remote deep phishing attack and will award us $1,120 for the finding.
