Feeds

Facebook coughs up $33.5k... its BIGGEST bug bounty EVER

Brazilian who found remote code vuln scoops five figures

The Power of One eBook: Top reasons to choose HP BladeSystem

Facebook has awarded its highest bug bounty to date after the discovery of a vuln which could have been used to spray Facebookers with drive-by download-style malware exploits.

Brazilian web security researcher Reginaldo Silva earned $33,500 for giving the social network a heads-up about an XML external entity vulnerability within a PHP page hosted on its servers that handled OpenID authentication. The flaw disclosed Facebook's etc/passwd.

If the flaw were to be left unresolved, malicious crackers who came across the vulnerability could have abused it to change Facebook's use of Gmail as an OpenID provider to a hacker-controlled URL, before servicing requests with malicious XML code. That by itself is bad enough, but Silva might have been onto something even worse.

Silva discovered the vulnerability back in November before disclosing it to Facebook, whose engineers immediately saw the significance of the flaw and fixed it hours later. This thwarted Silva's strategy of seeing whether the bug could have been developed into a remote code execution vulnerability.

“I was very impressed and disappointed at the same time,” Silva wrote in a blog post about his find. “But since I knew just how I would escalate that attack to a Remote Code Execution bug, I decided to tell the security team what I’d do to escalate my access and trust them to be honest when they tested to see if the attack I had in my mind worked or not.”

Remote code execution vulnerabilities would lend themselves to types of attack that throw malware at surfers visiting a vulnerable website – the most serious category of risk – and therefore earn a bigger payout under Facebook's bug bounty programme.

Facebook initially wanted to pay out only for the credential disclosure aspect of the flaw. But it relented after a few back-and-forth emails with Silva, deciding to classify the vulnerability as an even higher risk flaw.

“We discussed the matter further,” Facebook explained in a statement about the payout on its site. “Due to a valid scenario he theorised involving an administrative feature we are scheduled to deprecate soon, we decided to re-classify the issue as a potential RCE [Remote Code Execution] bug.”

Amichai Shulman, CTO at data security firm Imperva, said the speed at which Facebook was able to fix the flaw was exceptionally fast and a possible sign that the bug was outside the "critical application path so the risk of breaking [something] was low"

“Facebook is one of the companies that probably have invested the most in their application security over the past years," Shulman said. "The fact that critical vulnerabilities still pop up in their application should serve as a warning sign to anyone who believes that writing vulnerability-free applications is possible."

“Remote execution flaws are a tidal phenomenon,” added Shulman. “Usually people find a way to abuse a specific infrastructure (in this case OpenID) and then suddenly we see many flaws being reported in different places that use this infrastructure. Are critical flaws hard to find? Sadly, the answer is no."

Additional security commentary on the handling of the bug bounty negotiations in this particular case can be found in a blog post by Joshua Cannell, a malware intelligence analyst at Malwarebytes, here. ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.