Here comes a critical bug discovered in Facebook and biggest bounty ever paid by Facebook for reporting vulnerability in their website.
Reginaldo Silva, A Brazilian Hacker, has discovered a highly critical Remote Code Execution(RCE) vulnerability in the Facebook which could allowed attackers to read any files from the server. It could also allowed attackers to run malicious code in the server.
In September 2012, he first discovered XML External Entity Expansion bug in the Drupal that handled OpenID. OpenID is an open technology that allows users to authenticate to websites without having to create a new password.
He found similar bug affecting the Google's App Engine and Blogger. However, it is not critical as he wasn't able to access the arbitrary file or open network connections, he received $500 reward from Google.
He found out plenty of other websites implementing OpenID are vulnerable to RCE.
Recently, Silva learned that "facebook forgot password" page is also using OpenID provider to verify the identity of the user. He managed to discover the XXE bug in Facebook that allowed him to read the "etc/passwd" file from the server.
"Since I didn't want to cause the wrong impressions, I decided I would report the bug right away, ask for permission to try to escalate it to a RCE and then work on it while it was being fixed." Silva wrote in his blog.
He thought it will take time to fix the bug. However, the facebook security team responded quickly and fixed issue within 3.5 hours.
"I decided to tell the security team what I'd do to escalate my access and trust them to be honest when they tested to see if the attack I had in my mind worked or not. I'm glad I did that. After a few back and forth emails, the security team confirmed that my attack was sound and that I had indeed found a RCE affecting their servers." silva said.
He has been rewarded with a bounty of $33,500.