Facebook Hacker received $33,500 reward for Remote code execution vulnerability
Facebook has paid out its largest Bug Bounty ever of $33,500 to a Brazilian security researcher for discovering and reporting a critical Remote code execution vulnerability, which potentially allows the full control of a server.
In September, 'Reginaldo Silva' found an XML External Entity Expansion vulnerability affecting the part of Drupal that handled OpenID, which allows attacker to read any files on the webserver.
As a feature, Facebook allows users to access their accounts using OpenID in which it receives an XML document from 3rd service and parse it to verify that it is indeed the correct provider or not i.e. Receives at https://www.facebook.com/openid/receiver.php
In November 2013, while testing Facebook's 'Forgot your password' functionality, he found that the OpenID process could be manipulated to execute any command on the Facebook server remotely and also allows to read arbitrary files on the webserver.
In a Proof-of-Concept, he demonstrated that how an attacker can read the content of 'etc/passwd' file from Facebook's server just by manipulating the OpenID request with malicious XML code, and in order to extract the essential login information such as system administrator data and user IDs.
"Since I didn't want to cause the wrong impressions, I decided I would report the bug right away, ask for permission to try to escalate it to a [remote code execution] and then work on it while it was being fixed," he said.
After receiving bug reports from Silva, the Facebook Security team immediately released a short term patch within 3.5 hours, described as:
"We use a tool called Takedown for this sort of task because it runs on a low level, before much of the request processing happens. It allows engineers to define rules to block, log and modify requests. Takedown helped us ensure this line of code ran before anything else for any requests hitting /openid/receiver.php."
The Facebook team determined that the vulnerability could have been escalated to a remote code execution issue, and rewarded Silva accordingly after patching the flaw.
Update: Facebook has accepted the flaw as Remote code execution (RCE). In a post Facebook said, "We discussed the matter further, and due to a valid scenario he theorized involving an administrative feature we are scheduled to deprecate soon, we decided to re-classify the issue as a potential RCE bug".