Feeds

Facebook coughs up $33.5k... its BIGGEST bug bounty EVER

Brazilian who found remote code vuln scoops five figures

Using blade systems to cut costs and sharpen efficiencies

Facebook has awarded its highest bug bounty to date after the discovery of a vuln which could have been used to spray Facebookers with drive-by download-style malware exploits.

Brazilian web security researcher Reginaldo Silva earned $33,500 for giving the social network a heads-up about an XML external entity vulnerability within a PHP page hosted on its servers that handled OpenID authentication. The flaw disclosed Facebook's etc/passwd.

If the flaw were to be left unresolved, malicious crackers who came across the vulnerability could have abused it to change Facebook's use of Gmail as an OpenID provider to a hacker-controlled URL, before servicing requests with malicious XML code. That by itself is bad enough, but Silva might have been onto something even worse.

Silva discovered the vulnerability back in November before disclosing it to Facebook, whose engineers immediately saw the significance of the flaw and fixed it hours later. This thwarted Silva's strategy of seeing whether the bug could have been developed into a remote code execution vulnerability.

“I was very impressed and disappointed at the same time,” Silva wrote in a blog post about his find. “But since I knew just how I would escalate that attack to a Remote Code Execution bug, I decided to tell the security team what I’d do to escalate my access and trust them to be honest when they tested to see if the attack I had in my mind worked or not.”

Remote code execution vulnerabilities would lend themselves to types of attack that throw malware at surfers visiting a vulnerable website – the most serious category of risk – and therefore earn a bigger payout under Facebook's bug bounty programme.

Facebook initially wanted to pay out only for the credential disclosure aspect of the flaw. But it relented after a few back-and-forth emails with Silva, deciding to classify the vulnerability as an even higher risk flaw.

“We discussed the matter further,” Facebook explained in a statement about the payout on its site. “Due to a valid scenario he theorised involving an administrative feature we are scheduled to deprecate soon, we decided to re-classify the issue as a potential RCE [Remote Code Execution] bug.”

Amichai Shulman, CTO at data security firm Imperva, said the speed at which Facebook was able to fix the flaw was exceptionally fast and a possible sign that the bug was outside the "critical application path so the risk of breaking [something] was low"

“Facebook is one of the companies that probably have invested the most in their application security over the past years," Shulman said. "The fact that critical vulnerabilities still pop up in their application should serve as a warning sign to anyone who believes that writing vulnerability-free applications is possible."

“Remote execution flaws are a tidal phenomenon,” added Shulman. “Usually people find a way to abuse a specific infrastructure (in this case OpenID) and then suddenly we see many flaws being reported in different places that use this infrastructure. Are critical flaws hard to find? Sadly, the answer is no."

Additional security commentary on the handling of the bug bounty negotiations in this particular case can be found in a blog post by Joshua Cannell, a malware intelligence analyst at Malwarebytes, here. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.