Facebook awarded its highest bug bounty ever to security researcher Reginaldo Silva, who discovered a severe bug in Facebook’s OpenID system which could have been used to take over an entire Facebook server.
Researcher Reginaldo Silva discovered a severe bug in Facebook’s OpenID system, granting him access to extremely sensitive information on the system, and which could have been used to carry out remotely executed code.
Silva noticed that Facebook allowed users to login to the website using their Google credentials with OpenID. He then discovered that it was possible to manipulate an OpenID process known as Yardis discovery, so that Facebook sent requests not to Gmail, but to a provider under his control.
This done, Facebook passed along a request to Silva, who responded using XML data which was tainted with bad code.
Silva then received a response containing Facebook’s etc/passwd, which gave him the ability to open almost any file he wanted, and open arbitrary network connections from Facebook’s server.
Silva reported the bug to Facebook, apprehensively.
“I knew I had found the keys to the kingdom,” he wrote. “After all, having the ability to read (almost) any file and open arbitrary network connections through the point of view of the Facebook server, and which doesn’t go through any kind of proxy was surely something Facebook wanted to avoid at any cost. But I wanted more. I wanted to escalate this to a full Remote Execution.”
A Remote Control Execution (RCE) bug could have been used to take complete control of an entire Facebook server, utterly compromising the system.
But Silva knew there was a risk to messing with the exploit before reporting it to Facebook – while it could potentially be turned into an RCE bug which would fetch a very high price, bounty programs tend to demand that security researchers report a bug the minute it is discovered, without further messing with it. Worst case scenarios will automatically be considered.
Though unsure what Facebook would consider the exploit, Silva reported the bug. He went to lunch, and on his return, the Facebook bug had been patched. After talking with the team, and demonstrating how the exploit could have been used for a remote execution bug, the team agreed to classify it as a potential RCE bug, and awarded Silva with $33,500 – the highest bug payout Facebook has ever awarded.
While Facebook persists that “we design our payouts to reward the hard work of researchers who are already inclined to do the right thing and report bugs to the affected vendors”, many feel that Yardis was not properly awarded for his work, since he could have potentially earned a far greater amount selling it elsewhere.
But all things considered, Silva has received no small reward for his work, and Facebook has been spared an extremely severe attack.
Given how long the bug went undiscovered, only time will tell how many exploits of this nature lie hidden, waiting to be discovered by somebody who Facebook had better hope will be as honest as Silva.