Facebook has given out a record fee for bug discovery, after a Brazilian security researcher exposed a vulnerability that could have been used to deliver malware to millions of Facebook users.
Reginaldo Silva was paid $33,500 for bringing the loophole to Facebook’s attention. He had found an XML external entity vulnerability within a PHP page on the Facebook servers which was responsiblle for handling OpenID authentication.
The bug would have allowed access to the ‘/etc/passwd’ file, a record of information about users, and would have allowed hackers to hijack the Gmail OpenID login – in other words, redirect anyone who uses their Gmail login details to access their Facebook account.
ZDnet reports that Silva first reported the OpenID bug, then saw the potential for it to develop into an even bigger threat – escalating it to a ‘remote code execution bug’, which is what merited the large reward.
The bug was fixed before Silva could demonstrate the potential to upload malware, but he discussed the exact method he would use with the Facebook security team, satisfying them that it was a valid bug.
On his blog, he wrote: “Since I didn’t want to cause the wrong impressions, I decided I would report the bug right away, ask for permission to try to escalate it to a [remote code execution] and then work on it while it was being fixed”.
In a statement posted on the ‘Facebook Bug Bounty’ page, Facebook’s security team described the payout as “a great validation of the program we’ve been building and running since 2011″. Regarding the scale of the reward, the statement continues “We knew we wanted to pay out a lot because of the severity of the issue… As always, we design our payouts to reward the hard work of researchers who are already inclined to do the right thing and report bugs to the affected vendors.”
According to ZDnet, the discovery has already allowed other sites to strengthen their OpenID security, including Google, Drupal and StackOverflow, but there may be similar weaknesses waiting to be discovered.
In 2013, a British researcher was awarded $20,000 – the then highest payout from Facebook – for revealing a bug in the social media site’s SMS verification system, whereby users can link their mobile phone to their account and login using their phone number. The bug would let you send password reset codes to another mobile.
Author Staff Writer, ESET