Facebook has announced that it has recently paid out the biggest bug bounty ever, to a Brazilian engineer. The social networking service has awarded the man $33,500 for spotting an XML external entities vulnerability, that if left unchecked, could have potentially allowed someone to read arbitrary files on the webserver.
In a blog post outlining the vulnerability, Facebook wrote that in November, Reginaldo Silva sent a report that shed light on arbitrary file reads. It included a proof of concept code, which made it easy for Facebook’s team to reproduce the problem.
The social network realised that the vulnerability issue was a big one and the team implemented a fix by flipping a flag to cause its XML parsing library to disallow the resolution of external entities. The team then put to use a tool called Takedown which helped it in putting the line of code essential to repair the damage above all other type of requests.
The best part about Facebook’s effort was that it managed to find a fix for the issue within four hours of Silva reporting the bug. You can read how Facebook went about fixing the bug in its blog post.
Previously, Facebook had awarded a security researcher $20,000 for finding a bug that allowed a user to take over any other account on the website minus any human interaction. While the issue was brought to Facebook’s attention in May last year, the social network announced the bounty in June.
In September last year, Facebook also paid a bounty of $12,500 to an Indian Electronics and Communications Engineer for spotting a bug that allowed a user to delete an image on a page without any interaction from a user.
No comments:
Post a Comment