Researcher rewarded $33k for snatching password file from Facebook’s server

In September 2012, a Brazilian computer engineer, Reginaldo Silva, discovered a bug that would eventually lead him to rewards from Google and Facebook. The flaw, a XML External Entity Expansion (XXE) bug, was easily targeted on domains that offer OpenID authentication.

OpenID is still popular, and it’s used in many places on the Web, including Facebook. In 2012, Silva’s discovery led to a $500 USD reward from Google, but his bug affects libraries implemented in Java, C#, PHP, Ruby, Python, and Perl, so he continued to work on the problem. At present, Silva says that many implementations of OpenID are still vulnerable to the XXE bug.

So how did his progression lead to such success with Facebook? He explained the details in a recent blog post.

“Long story short, when you forget your password, one of the ways you can prove to Facebook that you own an @gmail.com account is to log into your Gmail and authorize Facebook to get your basic information (such as email and name). The way this works is you’re actually logging into Facebook using your Gmail account, and this login happens over OpenID…”

In the case of Facebook, Silva needed to work out a way to control the Yadis discovery process (where Facebook is authorized to gather information) and make Facebook think it was talking to a legitimate OpenID provider, such as Google.

Since controlling Google was out of the question, he studied the OpenID spec, and discovered how to make Facebook issue a Yadis discovery request to a URL under his control. His attempts were successful, and the XXE bug worked. However, nothing prepared him for the level of success. Facebook’s server offered read access to most everything, including the /etc/passwd file.

In Silva’s words:

“By then I knew I had found the keys to the kingdom. After all, having the ability to read (almost) any file and open arbitrary network connections through the point of view of the Facebook server, and which doesn’t go through any kind of proxy was surely something Facebook wanted to avoid at any cost.”

Silva contacted Facebook immediately and reported the issue. He expected to turn the bug into a remote code execution flaw after he returned from lunch. However, Facebook took the report seriously, and said it triggered “notifications to our on-call employees.”

A fix was deployed across Facebook’s entire network by the time Silva returned from his break. It seemed his quest to do further research and develop the remote code execution flaw was over before it started. However, after investigating the matter further, Facebook determined that the issue could have been escalated to a remote code execution issue, and rewarded Silva accordingly, offering him $33,500 USD in compensation. To date, the sum represents the social networking giant’s largest bug bounty payout.

In a statement Facebook said:

“At this point, we wrote back to Reginaldo to applaud him for his file read vulnerability. We discussed the matter further, and due to a valid scenario he theorized involving an administrative feature we are scheduled to deprecate soon, we decided to re-classify the issue as a potential RCE bug. We knew we wanted to pay out a lot because of the severity of the issue, so we decided to average the payout recommendations across a group of our program administrators. As always, we design our payouts to reward the hard work of researchers who are already inclined to do the right thing and report bugs to the affected vendors.”