Strategy, Vulnerability management, Threat intelligence

Facebook gives bug bounty of $33.5K for Remote Code Execution flaw

January 23, 2014

A Brazilian computer engineer was recently awarded a reported $33,500 for discovering a Remote Code Execution (RCE) vulnerability in Facebook – making it the biggest bug bounty the social media company has given out since its program launched in 2011.

RCEs give attackers the ability to access computers from afar and someone who took advantage of this particular vulnerability would have been allowed to read arbitrary files on the web server, according to a Facebook post, which adds that the company quickly applied a patch before addressing the issue on a bigger scale.

“We use a tool called Takedown for this sort of task because it runs at a low level, before much of the request processing happens,” according to the Facebook post. “It allows engineers to define rules to block, log and modify requests.”

For Reginaldo Silva, the journey to earning the coveted five-figure prize began in September 2012 when he discovered an XML External Entity (XXE) Expansion bug that affected the part of Drupal, a free content management framework, that handles OpenID – a standard that allows for user authentication through co-operating sites known as Relying Parties (RP).

At the time, Silva immediately reported his discovery and earned $500 from Google, but understanding how widely used OpenID is, the computer engineer continued to poke and prod.

“Well, I knew Facebook allowed OpenID login in the past,” Silva wrote in a blog post. “However, when I first found the OpenID bug in 2012 I couldn't find any endpoint that would allow me to enter an arbitrary OpenID URL.”

It was not until about a year later – when Silva was testing Facebook's ‘Forgot Your Password?' feature and noticed a request to https://www.facebook.com/openid/receiver.php – that he started thinking Facebook could actually be vulnerable to the XXE bug.

According to the Silva post, when a user forgets their password, they can authenticate to Facebook that they have a Gmail by logging into Facebook through their Google mail account – which all happens over OpenID.

“Since the initial OpenID request (a redirect from Facebook to Google) happens without my intervention, there was no place for me to actually enter an URL under my control that was my OpenID identifier and have Facebook send a Yadis Discover request to that URL,” Silva wrote.

The computer engineer added, “So I thought the bug would not be triggered at all, unless I could somehow get Google to send Facebook a malicious XML, which was very unlikely. Fortunately, I was wrong.”

All researchers long to discover an RCE and, following the announcement by Facebook, many in the community were vocal about how considerably low the reward was for Silva.

“Facebook should have paid far more to Mr. Silva,” Vikram Phatak, CEO of NSS Labs, told SCMagazine.com on Thursday. “Had that vulnerability been exploited for nefarious purposes, it would have cost Facebook far more than $33K.”

Phatak added, “Unfortunately, we now have to worry whether the next person to find an RCE vulnerability in Facebook will let Facebook know, or seek more lucrative compensation for their hard work.”

prestitial ad