Feeds

Facebook coughs up $33.5k... its BIGGEST bug bounty EVER

Brazilian who found remote code vuln scoops five figures

Remote control for virtualized desktops

Facebook has awarded its highest bug bounty to date after the discovery of a vuln which could have been used to spray Facebookers with drive-by download-style malware exploits.

Brazilian web security researcher Reginaldo Silva earned $33,500 for giving the social network a heads-up about an XML external entity vulnerability within a PHP page hosted on its servers that handled OpenID authentication. The flaw disclosed Facebook's etc/passwd.

If the flaw were to be left unresolved, malicious crackers who came across the vulnerability could have abused it to change Facebook's use of Gmail as an OpenID provider to a hacker-controlled URL, before servicing requests with malicious XML code. That by itself is bad enough, but Silva might have been onto something even worse.

Silva discovered the vulnerability back in November before disclosing it to Facebook, whose engineers immediately saw the significance of the flaw and fixed it hours later. This thwarted Silva's strategy of seeing whether the bug could have been developed into a remote code execution vulnerability.

“I was very impressed and disappointed at the same time,” Silva wrote in a blog post about his find. “But since I knew just how I would escalate that attack to a Remote Code Execution bug, I decided to tell the security team what I’d do to escalate my access and trust them to be honest when they tested to see if the attack I had in my mind worked or not.”

Remote code execution vulnerabilities would lend themselves to types of attack that throw malware at surfers visiting a vulnerable website – the most serious category of risk – and therefore earn a bigger payout under Facebook's bug bounty programme.

Facebook initially wanted to pay out only for the credential disclosure aspect of the flaw. But it relented after a few back-and-forth emails with Silva, deciding to classify the vulnerability as an even higher risk flaw.

“We discussed the matter further,” Facebook explained in a statement about the payout on its site. “Due to a valid scenario he theorised involving an administrative feature we are scheduled to deprecate soon, we decided to re-classify the issue as a potential RCE [Remote Code Execution] bug.”

Amichai Shulman, CTO at data security firm Imperva, said the speed at which Facebook was able to fix the flaw was exceptionally fast and a possible sign that the bug was outside the "critical application path so the risk of breaking [something] was low"

“Facebook is one of the companies that probably have invested the most in their application security over the past years," Shulman said. "The fact that critical vulnerabilities still pop up in their application should serve as a warning sign to anyone who believes that writing vulnerability-free applications is possible."

“Remote execution flaws are a tidal phenomenon,” added Shulman. “Usually people find a way to abuse a specific infrastructure (in this case OpenID) and then suddenly we see many flaws being reported in different places that use this infrastructure. Are critical flaws hard to find? Sadly, the answer is no."

Additional security commentary on the handling of the bug bounty negotiations in this particular case can be found in a blog post by Joshua Cannell, a malware intelligence analyst at Malwarebytes, here. ®

Internet Security Threat Report 2014

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Reducing the cost and complexity of web vulnerability management
How using vulnerability assessments to identify exploitable weaknesses and take corrective action can reduce the risk of hackers finding your site and attacking it.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.