Facebook has resolved a serious security flaw within a company server which permitted the remote execution of code by threat actors.
Security researcher Daniel 'Blaklis' Le Gall, from SCRT information security, secured a $5,000 bug bounty for reporting the flaw to the social networking giant.
In a security advisory describing the vulnerability, the researcher said the bug was discovered in one of Facebook's servers.
While scanning an IP range connected to the company, Blaklis found a Sentry service, written in Python with the Django framework, which appeared to be unstable.
"The application seemed to be unstable regarding the user password reset feature, which occasionally crashed," the researcher said. "Django debug mode was not turned off, which consequently prints the whole environment when a stacktrace occurs. However, Django snips critical information (passwords, secrets, key...) in those stacktraces, therefore avoiding a massive information leakage."
Upon closer inspection, Blaklis realized he was able to spot session cookie names, options, and the serializer in use, called Pickle. Pickle is a binary protocol used to unserialize Python object structures. The system is able to unserialize classes and methods, unlike JSON or YMAL.
The secret key used by Django was not available in the stacktrace. However, the sentry options list contained a key which was not snipped.
According to Sentry, this key is used "for session signing [..] and if this becomes compromised it's important to regenerate it as otherwise it's much easier to hijack user sessions."
Armed with this information, the researcher was able to create a script to forge malicious cookies with arbitrary Pickle content which included a payload to override the Sentry cookie.
The cookie in question was then overridden with an arbitrary object. In order to test the security flaw, Blaklis implemented a 30-second time delay rather than cause any true damage, of which the attempt proved to be successful.
A threat actor could have used the security flaw to remotely hijack the system, causing damage and enabling them to steal data from the server. However, Blaklis is keen to emphasize that no user data was contained in the server or exposed due to the bug.
The researcher then reported his findings to Facebook on 30 July.
Facebook quickly acknowledged the security flaw and took down the server until a patch was implemented on August 9. Blaklis was awarded $5,000 for his findings.
In February, Facebook patched a vulnerability which leaked information belonging to administrators and only took minutes to exploit.