Connect with us

Hi, what are you looking for?



Facebook Pays Big Bounty for DoS Flaw in Fizz TLS Library

While Facebook’s bug bounty program does not typically cover denial-of-service (DoS) vulnerabilities, the social media giant has decided to award a significant bounty for a serious flaw affecting Fizz, its open source TLS library.

While Facebook’s bug bounty program does not typically cover denial-of-service (DoS) vulnerabilities, the social media giant has decided to award a significant bounty for a serious flaw affecting Fizz, its open source TLS library.

Fizz, which Facebook released as open source in August 2018, is the company’s implementation of the TLS 1.3 cryptographic protocol. At the time when it was made public, Fizz had been used by Facebook to secure communications in its mobile applications, load balancers, internal services, its Proxygen HTTP framework, and other applications. Other organizations and open source projects may have also started using it after its release as open source.

Facebook Fizz vulnerabilityA researcher from code analysis firm Semmle discovered that Fizz is affected by a DoS vulnerability that can be easily triggered by a remote and unauthenticated attacker. Exploitation of the flaw causes Fizz to enter an infinite loop, which results in the web service becoming unavailable. The flaw cannot be exploited to gain access to user data, both Facebook and Semmle have confirmed.

“The impact of the vulnerability is that an attacker can send a malicious message via TCP to any server that uses Fizz and trigger an infinite loop on that server. This could make the server unresponsive to other clients,” explained Kevin Backhouse, the Semmle researcher who found the flaw.

“The size of the message is just over 64KB, so this attack is extremely cheap for the attacker, but crippling for the server. To illustrate this, a single computer with an unexceptional domestic-grade internet connection (1Mbps upload speed) could send two of these messages per second. Since each message knocks out one CPU core, it would only take a small botnet to quickly debilitate an entire datacentre,” he added.

The vulnerability was reported to Facebook on February 20 and a patch was rolled out to Facebook’s internal systems on the same day. The fix was pushed to GitHub five days later – the patch is included in version 2019.02.25.00 and later.

While Facebook’s bug bounty program does not typically cover DoS vulnerabilities, the company has decided to award a $10,000 bounty due to the fact that the issue “could have had significant risk.” Semmle has donated the bounty to a charity so Facebook doubled the amount, and the code analysis firm also matched the original bounty and donated it to a different charity.

Related: CSRF Vulnerability in Facebook Earns Researcher $25,000

Advertisement. Scroll to continue reading.

Related: Facebook Paid Out $1.1 Million in Bug Bounties in 2018

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.