Security Experts:

Facebook, Researcher Quarrel Over Bug Reward Eligibility

Facebook has decided not to reward a researcher who has identified a vulnerability in one of the software components used on the official blog of Onavo, a mobile data analytics company acquired by the social media giant in 2013.

Facebook’s bug bounty program covers vulnerabilities that affect the company’s own services, and security issues that impact products and acquisitions such as Instagram, Parse, Oculus, Onavo, Moves, and osquery.

Finland-based security researcher Jouko Pynnonen of the company Klikki Oy has been analyzing WordPress plugins used by these Facebook acquisitions to see if they contain any serious vulnerabilities. One of the pieces of software found to be vulnerable by the expert is WPML, a premium plugin designed for running multilingual websites with WordPress.

The WPML flaws, discovered in March, affect a total of 400,000 websites, including the site of Facebook-owned virtual reality company Oculus. The WPML bugs can be exploited by an attacker to access website databases, delete content, and perform various administrative actions. Pynnonen demonstrated that he could leverage one of the more serious vulnerabilities, an SQL injection, to gain access to the details of Oculus employees and customers’ financial information. Facebook awarded the researcher $4,000 for reporting the flaw.

Later in March, the researcher identified a persistent cross-site scripting (XSS) vulnerability in Google Analytics by Yoast, a plugin used for monitoring website traffic. The flaw, patched by Yoast one day after it was reported, can be exploited for arbitrary code execution. According to some reports, the vulnerability has been exploited in the wild.

The plugin is used on the Onavo blog so Pynnonen expected to receive a considerable reward from Facebook considering the seriousness of the vulnerability. However, the social media company has decided not to reward the researcher.

According to the researcher, the vulnerability can pose a serious risk because it affects the administrative dashboard in WordPress. A remote attacker can execute arbitrary code by planting it in the WordPress dashboard. The code then gets executed as soon as the administrator opens the panel.

“If no special protections are in place, the attacker can trivially execute not only JavaScript in the administrator’s browser, but by leveraging that, also arbitrary code on the underlying operating system. In other words the attacker would gain unrestricted shell access on the server,” Pynnonen told SecurityWeek.

Once the server is compromised, an attacker could retrieve the password hashes of the Onavo/Facebook employees who manage the site, exploit the website for malware distribution and phishing attacks, and capture the traffic of Onavo/Facebook employees and website visitors, the expert said.

The researcher says he kept Facebook in the loop regarding the availability of a patch and provided advice on how to protect the Onavo website until the fix became available.

Facebook has admitted that the vulnerability can be potentially exploited for remote code execution. However, after assessing the vulnerability and its impact, the social media company has decided that it’s not eligible for a reward.

“We’re grateful to Jouko for his reports and have rewarded him previously for the good work he has done. In this case, as we explained to him, his finding doesn’t qualify for a reward under the terms of our program,” a Facebook spokesperson told SecurityWeek. “We reward bounties for issues that affect user data or that enable access to a system within our infrastructure. In this case, the issues were located in a popular WordPress plugin used by many sites across the internet, there was no impact on user data, and no relevant code was written by Facebook or Facebook-owned companies. We encouraged him to continue submitting bugs, and we will reward qualifying reports in the future.”

The researcher argued that, in the past, Facebook rewarded vulnerabilities that didn’t meet the requirements of its responsible disclosure program.

“Facebook has previously rewarded misconfigurations that are neither within Facebook’s or an acquisitions infrastructure, nor compromise any user data. As an example, at least two minor bugs (XSS, open redirect) on aconnectedlife.info have qualified. The site is an acquisition not listed on the info page and seems to consist of just a few info pages. It doesn’t allow logging in and is hosted on a third-party server,” Pynnonen said. “None of my qualified, rewarded bugs use Facebook’s own infrastructure (as in physical servers). All of them affect virtual servers hosted by Amazon, where Onavo is hosted too.”

The expert has compared his findings to the vulnerabilities reported by several other researchers in the past, including Stefano Vettorazzi Campos, who reported bugs on the Onavo website, Jutendra Jaiswal, who found a serious issue on Parse.com, and Bitquark, who found a flaw in the Oculus developer portal.

However, Facebook disagrees with the comparisons made by Pynnonen to other vulnerabilities rewarded in the past by the company.

“After rewarding some people for bugs that are at most potential reputational risks, and after securing their systems with my help, it seems illogical to claim that my bugs, while being near the top of the technical severity scale, are somehow worth nothing at all,” Pynnonen said. “Of course, it’s perfectly OK legally for Facebook to make exceptions for any undisclosed reason they want. Ethically though, it may be different. When they mobilize the crowds to work for them and require them to conform to strict ‘white hat’ ethics, they should pay attention to their own conduct too.”

“The vast majority of the crowd never finds anything so it's free workforce. But when someone actually finds critical security issues affecting Facebook and allows Facebook to protect their systems from serious threats, it seems very problematic that they fail to fulfill their part of the deal and wriggle out by citing unwritten rules which don’t seem to make sense and haven’t existed before,” the expert added.

This isn’t the only vulnerability found by Pynnonen in a component used on the Onavo website. The expert says he has reported a second security bug, which hasn’t been patched yet, to the component’s developer and Facebook.

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.