Good reminder here that all publicly-visible services are part of your overall attack surface, including beta sites and other things you never expect people to look at. The DROWN vulnerability from last week was similar: people disabled SSLv2 on their web servers, but not their mail servers.

Very nice find: super simple but super effective. I'm glad Facebook paid up promptly.