Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Facebook Pays $33,500 to Security Researcher for Uncovering Bug

Facebook has paid a researcher $33,500 for finding and reporting a critical remote execution bug.

Facebook has paid a researcher $33,500 for finding and reporting a critical remote execution bug.

Brazilian computer engineer Reginaldo Silva reported the issue to Facebook in November. The bug is tied to OpenID, an authentication standard that allows people to centralize the authentication process across multiple sites so that they do not continuously have to log in.

According to Silva, the find came out of work he had done previously.

“September 22nd, 2012 was a very special day for me, because it was the day I found a XML External Entity Expansion bug affecting the part of Drupal that handled OpenID,” he explained in a blog post. “XXEs are very nice. They allow you to read any files on the filesystem, make arbitrary network connections, and just for the kicks you can also DoS the server with the billion laughs attack.”

Advertisement. Scroll to continue reading.

“I was so naive at the time that I didn’t even bother to check if anyone else was vulnerable. I reported it immediately,” he continued. “I wanted to start putting CVEs on my resume as soon as possible, and this would be the first (it eventually got CVE-2012-4554 assigned to it). Only five days later it occurred to me that OpenID was pretty heavily used and so maybe other places were vulnerable as well.”

He reported the bug to Google, which awarded him $500 as a bug bounty.

“Well, I knew Facebook allowed OpenID login in the past,” he blogged. “However, when I first found the OpenID bug in 2012 I couldn’t find any endpoint that would allow me to enter an arbitrary OpenID URL. From a Google search I knew that in the past you could do something like https://www.facebook.com/openid/consumer_helper.php?openid.mode=checkid_setup&user_claimed_id=YOUR_CLAIMED_ID_HERE&context=link&request_id=0&no_extensions=false&third_party_login=false, but now the consumer_helper.php endpoint is gone. So for more than a year I thought Facebook was not vulnerable at all, until one day I was testing Facebook’s Forgot your password? functionality and saw a request to https://www.facebook.com/openid/receiver.php.”

 “That’s when I began to suspect that Facebook was indeed vulnerable to that same XXE I had found out more than a year ago,” he continued. “I had to work a lot to confirm this suspicion, though. Long story short, when you forget your password, one of the ways you can prove to Facebook that you own an @gmail.com account is to log into your Gmail and authorize Facebook to get your basic information (such as email and name). The way this works is you’re actually logging into Facebook using your Gmail account, and this login happens over OpenID.”

This is where he got stuck. For his bug to work, the OpenID Relying Party – in this case, Facebook – has to make a Yadis discovery request to an OpenID Provider (OP) under the attacker’s control. He made a request to https://www.facebook.com/openid/receiver.php that caused Facebook to perform a Yadis discovery on a URL under his control, and the response to that request would contain malicious XML

“I knew I had a XXE because when I told Facebook’s server to open /dev/random, the response would never come and eventually a request killer would kick in after a few minutes,” he blogged. “But I still couldn’t read any file contents. I tried everything on the XXE back of tricks (including weird combinations involving parameter entities, but nothing.”

After fixing a bug in his code however, he was able to get his attack to work.

“That’s right, the response contained Facebook’s /etc/passwd,” he blogged. “Now we were going somewhere. By then I knew I had found the keys to the kingdom. After all, having the ability to read (almost) any file and open arbitrary network connections through the point of view of the Facebook server, and which doesn’t go through any kind of proxy was surely something Facebook wanted to avoid at any cost.”

He wanted next to escalate the bug to full remote code execution, but choose to follow the rules of Facebook’s bug bounty program before going any further. After exchanging emails with Facebook, he went ahead with his plans.

According to Facebook, a short-term fix was live just 3.5 hours after Silva reported the bug.

“After debugging, we concluded that libxml_disable_entity_loader(true) was indeed the correct final fix,” Facebook noted in a blog post. “Because we want to leave the code in a better state than we found it (rewrite old code, write tests, etc), writing the long term fix is often the step in the lifecycle of a bug that takes the longest. We wanted this line to run before anything else, so we put it in the lowest level of the callstack in our request initialization code.”

“In the process, we came across another endpoint using the vulnerable code and ensured it was protected by the same Takedown rule we deployed previously, as well as our permanent fix,” Facebook continued. “In parallel, other members of the Security team investigated the logs corresponding to this issue and confirmed that it had not been previously exploited or used maliciously.”

“At this point, we wrote back to Reginaldo to applaud him for his file read vulnerability,” Facebook added. “We discussed the matter further, and due to a valid scenario he theorized involving an administrative feature we are scheduled to deprecate soon, we decided to re-classify the issue as a potential RCE (remote code execution) bug.”

The payout is the biggest one the social network has ever issued, the company said.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.