Facebook remote code execution bug nets researcher $33,500

The social network's payout represents the largest bug bounty it has ever rewarded a researcher with.
Written by Michael Lee, Contributor

Facebook has paid out its largest bug bounty ever of $33,500 to a security researcher who could have potentially taken full control of a server within its network.

Since 2012, Brazilian computer engineer Reginaldo Silva has been toying with vulnerabilities in OpenID, the open technology that allows users to use an account with an existing identity provider to sign in to other compatible services. For example, a user can trust Symantec's Personal Identity Portal to create an OpenID account, then use that one account to sign in to WordPress.

In the event that users forget their passwords, Facebook itself can use an OpenID provider to verify the identity of the user. As part of the communication process, Facebook communicates with the provider, receiving an XML document and parsing it to verify that it is indeed the correct provider.

While this means that Facebook cannot be tricked into using a fake provider, the mere act of parsing the XML response from a fake provider opens it up to attack due to a known XML external entity processing vulnerability. This vulnerability allows an attacker to specify a URI to be stored in a system identifier, and then call upon that identifier to retrieve data. The XML processor can, in most cases, be instructed to disable the loading of external entities.

The ability to specify any URI means that Facebook's server handling the OpenID request can be forced to make arbitrary network connections, which already allows an attacker to abuse Facebook's bandwidth for denial of service attacks, but, more importantly, it allows read access to the local file system.

Taking advantage of this, Silva was able to access the server's /etc/passwd file, which contains a list of all user accounts and the location of their home directories.

At this point, Silva reported the bug to Facebook before proceeding with any attempts to escalate his privileges.

"Since I didn't want to cause the wrong impressions, I decided I would report the bug right away, ask for permission to try to escalate it to a [remote code execution] and then work on it while it was being fixed," Silva wrote on his blog.

Given the severity of the bug, however, Facebook put in place a short-term fix within 3.5 hours. It quickly ensured that its XML processor does not load external entities, and patched another endpoint that was vulnerable to the same exploit.

A check of Facebook's logs determined that this exploit had not been used against the social network in the past.

Unfortunately, with Facebook responding to the report so quickly, Silva was never able to make an attempt at executing remote code. However, in conversations he had with Facebook's security team, he discussed how he would have gone about doing so.

"I decided to tell the security team what I'd do to escalate my access, and trust them to be honest when they tested to see if the attack I had in my mind worked or not. I'm glad I did that," Silva said.

Silva has not disclosed exactly how he would have done it, but Facebook has confirmed that it involved an administrative feature that it was due to deprecate. Acknowledging that Silva would have been able to take control of its server, it has classified the vulnerability as a remote code execution bug.

Facebook has rewarded Silva with a bounty of $33,500. It came to this figure by asking its group of program administrators for their payout recommendations and taking the average.

Silva's discovery of the OpenID bug has wider implications for other providers using the technology. His reporting of the issue has enabled Drupal, Google, and StackOverflow to improve their security, but with many more organisations using OpenID, Silva believes there may be more at risk.

Editorial standards