Facebook awards $33,500 bounty for critical flaw

Facebook has announced that it has awarded $33,500 – their biggest bug bounty payout to date – to a Brazilian security researcher that discovered a remote code execution flaw affecting Facebook’s servers.

Reginaldo Silva initially reported to the company his discovery of an XML external entities (XXE) vulnerability which would allow attackers to read arbitrary files on their webserver.

This was in November 2013, but he found the bug a year earlier while examining how Drupal handled OpenID. It took him a year to realize that it could affect other services using the popular authentication standard, and he began his testing.

Once he discovered that Facebook was also vulnerable, he submitted his findings and PoC exploit code to the company’s security team.

“The report was well written and included proof of concept code, so we were able to reproduce the issue easily. After running the proof of concept to verify the issue, we filed an urgent task—triggering notifications to our on-call employees,” the team explained in a post.

A short term fix was produced in less than four hours, and it was immediately deployed across the company’s webservers. Silva was notified, but was disappointed: he believed that the bug could be escalated to a Remote Code Execution vulnerability, but was now unable to prove it.

“I decided to tell the security team what I’d do to escalate my access and trust them to be honest when they tested to see if the attack I had in my mind worked or not,” he wrote. “I’m glad I did that. After a few back and forth emails, the security team confirmed that my attack was sound and that I had indeed found a RCE affecting their servers.

“We knew we wanted to pay out a lot because of the severity of the issue, so we decided to average the payout recommendations across a group of our program administrators,” the team concluded and, after having received permission from Silva, shared the amount of the prize he received with the public.