Facebook’s biggest bug bounty
- January 22, 2014
- Posted by: secpass
- Category: Bug bounty
After 2011, Facebook provides biggest bug bounty of $33.5K for Remote Code Execution flaw.
For finding a Remote Code Execution (RCE) vulnerability in Facebook a Brazillian pentester has been paid a bounty of $33.5k (approximately Rs.20,99,110/-) as a bounty. After 2001, this is the biggest bounty Facebook ever provided.
RCE’s provide attackers the flexibility to access computers from afar and somebody who took advantage of this explicit vulnerability are allowed to scan discretional files on the online server, in line with a post. Facebook quickly applied a patch before addressing the problem on an even bigger scale.
“We use a tool referred to as Takedown for this type of task as a result of it runs at a coffee level, before abundant of the request process happens,” in line with the Facebook post. “It permits engineers to outline rules to dam, log and modify requests.”
For Reginaldo Silva, the journey to earning the coveted five-figure prize began in September 2012 when he discovered an XML External Entity (XXE) Expansion bug that affected the part of Drupal, a free content management framework, that handles OpenID – a standard that allows for user authentication through co-operating sites known as Relying Parties (RP).
At the time, Silva immediately reported his discovery and earned $500 from Google, but understanding how widely used OpenID is, the computer engineer continued to poke and prod.
“Well, I knew Facebook allowed OpenID login in the past,” Silva wrote in a blog post. “However, when I first found the OpenID bug in 2012 I couldn’t find any endpoint that would allow me to enter an arbitrary OpenID URL”. It was not until about a year later – when Silva was testing Facebook’s ‘Forgot Your Password?’ feature and noticed a request to https://www.facebook.com/openid/receiver.php – that he started thinking Facebook could actually be vulnerable to the XXE bug.
According to the Silva post, when a user forgets their password, they can authenticate to Facebook that they have a Gmail by logging into Facebook through their Google mail account – which all happens over OpenID.
“Since the initial OpenID request (a redirect from Facebook to Google) happens without my intervention, there was no place for me to actually enter an URL under my control that was my OpenID identifier and have Facebook send a Yadis Discover request to that URL,” Silva wrote.
The computer engineer added, “So I thought the bug would not be triggered at all, unless I could somehow get Google to send Facebook a malicious XML, which was very unlikely. Fortunately, I was wrong.”
All researchers long to discover an RCE and, following the announcement by Facebook, many in the community were vocal about how considerably low the reward was for Silva.
“Facebook should have paid far more to Mr. Silva,” Vikram Phatak, CEO of NSS Labs, told SCMagazine.com on Thursday. “Had that vulnerability been exploited for nefarious purposes, it would have cost Facebook far more than $33K.”
Phatak added, “Unfortunately, we now have to worry whether the next person to find an RCE vulnerability in Facebook will let Facebook know, or seek more lucrative compensation for their hard work.”