Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Facebook Pays Big Bounty for DoS Flaw in Fizz TLS Library

While Facebook’s bug bounty program does not typically cover denial-of-service (DoS) vulnerabilities, the social media giant has decided to award a significant bounty for a serious flaw affecting Fizz, its open source TLS library.

While Facebook’s bug bounty program does not typically cover denial-of-service (DoS) vulnerabilities, the social media giant has decided to award a significant bounty for a serious flaw affecting Fizz, its open source TLS library.

Fizz, which Facebook released as open source in August 2018, is the company’s implementation of the TLS 1.3 cryptographic protocol. At the time when it was made public, Fizz had been used by Facebook to secure communications in its mobile applications, load balancers, internal services, its Proxygen HTTP framework, and other applications. Other organizations and open source projects may have also started using it after its release as open source.

Facebook Fizz vulnerabilityA researcher from code analysis firm Semmle discovered that Fizz is affected by a DoS vulnerability that can be easily triggered by a remote and unauthenticated attacker. Exploitation of the flaw causes Fizz to enter an infinite loop, which results in the web service becoming unavailable. The flaw cannot be exploited to gain access to user data, both Facebook and Semmle have confirmed.

“The impact of the vulnerability is that an attacker can send a malicious message via TCP to any server that uses Fizz and trigger an infinite loop on that server. This could make the server unresponsive to other clients,” explained Kevin Backhouse, the Semmle researcher who found the flaw.

“The size of the message is just over 64KB, so this attack is extremely cheap for the attacker, but crippling for the server. To illustrate this, a single computer with an unexceptional domestic-grade internet connection (1Mbps upload speed) could send two of these messages per second. Since each message knocks out one CPU core, it would only take a small botnet to quickly debilitate an entire datacentre,” he added.

The vulnerability was reported to Facebook on February 20 and a patch was rolled out to Facebook’s internal systems on the same day. The fix was pushed to GitHub five days later – the patch is included in version 2019.02.25.00 and later.

While Facebook’s bug bounty program does not typically cover DoS vulnerabilities, the company has decided to award a $10,000 bounty due to the fact that the issue “could have had significant risk.” Semmle has donated the bounty to a charity so Facebook doubled the amount, and the code analysis firm also matched the original bounty and donated it to a different charity.

Related: CSRF Vulnerability in Facebook Earns Researcher $25,000

Related: Facebook Paid Out $1.1 Million in Bug Bounties in 2018

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.