Facebook patches critical server remote code execution vulnerability

The exploit took advantage of instability in the server's system.
Written by Charlie Osborne, Contributing Writer

Facebook has resolved a serious security flaw within a company server which permitted the remote execution of code by threat actors.

Security researcher Daniel 'Blaklis' Le Gall, from SCRT information security, secured a $5,000 bug bounty for reporting the flaw to the social networking giant.

In a security advisory describing the vulnerability, the researcher said the bug was discovered in one of Facebook's servers.

While scanning an IP range connected to the company, Blaklis found a Sentry service, written in Python with the Django framework, which appeared to be unstable.

"The application seemed to be unstable regarding the user password reset feature, which occasionally crashed," the researcher said. "Django debug mode was not turned off, which consequently prints the whole environment when a stacktrace occurs. However, Django snips critical information (passwords, secrets, key...) in those stacktraces, therefore avoiding a massive information leakage."

Upon closer inspection, Blaklis realized he was able to spot session cookie names, options, and the serializer in use, called Pickle. Pickle is a binary protocol used to unserialize Python object structures. The system is able to unserialize classes and methods, unlike JSON or YMAL.

The secret key used by Django was not available in the stacktrace. However, the sentry options list contained a key which was not snipped.

According to Sentry, this key is used "for session signing [..] and if this becomes compromised it's important to regenerate it as otherwise it's much easier to hijack user sessions."

CNET: Facebook kicks out Myanmar military as UN issues genocide report

Armed with this information, the researcher was able to create a script to forge malicious cookies with arbitrary Pickle content which included a payload to override the Sentry cookie.

TechRepublic: If your organization advertises on Facebook, beware of these new limitations

The cookie in question was then overridden with an arbitrary object. In order to test the security flaw, Blaklis implemented a 30-second time delay rather than cause any true damage, of which the attempt proved to be successful.

A threat actor could have used the security flaw to remotely hijack the system, causing damage and enabling them to steal data from the server. However, Blaklis is keen to emphasize that no user data was contained in the server or exposed due to the bug.

The researcher then reported his findings to Facebook on 30 July.

Facebook quickly acknowledged the security flaw and took down the server until a patch was implemented on August 9. Blaklis was awarded $5,000 for his findings.

See also: Medical records of high school students leaked in 'appalling' data breach

In February, Facebook patched a vulnerability which leaked information belonging to administrators and only took minutes to exploit.

Previous and related coverage

Editorial standards