Nearly all the tech companies routinely pay bounty awards to security researchers for finding vulnerabilities in their services. But it’s quite rare to see a bounty to the tune of $33,500, which was recently grabbed by a researcher who found a remote execution bug in Facebook.
Brazilian computer engineer Reginaldo Silva has been tinkering with the security aspects of the OpenID since quite some time now. OpenID essentially allows a user to sign in to multiple services using the same account.
Facebook also supports OpenID and if a user forgets the password of the account while logging in, Facebook then uses an OpenID provider to verify the user and retrieve his password. The verification process is where the vulnerability existed. It comprised of Facebook connecting with the provider and receiving an XML document which had to be parsed to verify the account.
Now, parsing an XML document meant that Facebook’s server performing it was open to all sorts of attacks. A rather popular attack called XML external entity processing vulnerability allows a hacker to specify a URI stored within a system identifier. The server parsing the XML document can then be forced to link up with other, new connections defined by the hacker himself.
Not only that, it allows the hacker to gain read access to the local file system. According to Silva, he was able to read the /etc/passwd directory on server but then stopped and contacted Facebook. He wanted to pursue the exploit further and see how compromising it was but as soon as he reported it to Facebook, the social network patched it up.
According to Silva, “Since I didn’t want to cause the wrong impressions, I decided I would report the bug right away, ask for permission to try to escalate it to a [remote code execution] and then work on it while it was being fixed.” But since Facebook instantly applied a quick patch as soon as the bug was reported, he says, “I decided to tell the security team what I’d do to escalate my access, and trust them to be honest when they tested to see if the attack I had in my mind worked or not. I’m glad I did that.”
As his reward for this rare and rather critical find, Silva has been handed a whopping $33,500 by Facebook. This is the highest bounty ever from Facebook and makes sense since the exploit in question could have very damaging consequences if it hadn’t been patched timely.