Bug Hunting

1.The Unseen: Facebook Bug Bounty 2014, X-XSS and Filter Evasion worth 7500$ (Paulos Yibelo)

You probably are wondering why I called it “The Unseen”. Some sort of a scary movie name. Well I called it “The Unseen” because it wasn't seen by me at the first time while submitting the first bug I noticed quickly. I wrote about the first bug here. It was a Linkshim evasion and URL redirection issue. I used “../http://site.com” in the continue parameter for redirection, bypassing the FB Linkshim and I explained how there.

After Facebook approved my bug, promised me a 1000$ bounty and after fixing the issue, I just read my blog entitled “bypassing htmlentities()” and remembered something I always talk about, XSS. The bug could have been a cross site scripting. How? Well when given the Linkshim “../http://site.com”, the parameter create this code (first bug)

<a href=”http://site.com”>Continue</a>

You know what that means, if I gave it “../data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K#” it will output this,

<a href=”data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K#”>Continue</a>

For those of you who can’t do base64 decode in your mind :P , that is equivalent to “<script>alert(“XSS”);</script>” and I put the hash (#) tag behind to make sure other parameters following it can be ignored as not a part of the Base64

Or simply by giving the parameter “../javascript:alert(0);”, that will create a code

<a href=”javascript:alert(0);”>Continue</a>

The above href attribute is properly sanitized and htmlentitied. But since both the functions htmlentities() and htmlspecailchars()  don’t filter the above payload it was possible to execute a reflective XSS when a user clicked the Continue button. And the final payload would look something like

https://m.facebook.com/feed_menu/?story_fbid=808015282566492&id=100000740832129&confirm=h&continue=../javascript:alert(0);&perm&no_fw=1&_rdr

Makes me wonder what I can do with it, stil da kookies? Lmao.

So simple. But effective. I reported this issue after the URL redirection has been fixed (making impossible to generate the XSS) but the Facebook security team was kind enough to understand the issue this could’ve made and reconsider the first bounty to 3 type of injections in one parameter (XSS, Redirection, Linkshim Evade) and raise the bounty up to 7500$ which by the way is a lot of money.)

2)

Facebook pays Brazilian engineer $33,500 for security bug in highest payout to date

Facebook announced that it has awarded its biggest bug bounty payoutsince the program’s start in 2011. The social networking company revealed that Brazilian computer engineer Reginaldo Silva cast a spotlight on an XML external entities vulnerability that, if left unchecked, could have allowed someone to read “arbitrary files” on the webserver. As a result, Facebook rewarded Silva for his discovery and paid him $33,500.

In a Facebook post, the company shares that it received a bug report from Silva back in November and that upon verifying the issue, implemented a fix that would take care of part of the issue. After the bug was gone, the engineering team needed to figure out how to distribute it to all of Facebook’s webservers. To accomplish this task, the team utilized a tool called Takedown that helped prioritize the line of code needed to repair the damage above all other requests.

Of course, all of the effort thus far was to rectify the problem — now Facebook needed to investigate to understand what went wrong and if there were any other parts of the code that were vulnerable.

You can read the whole explanation on Facebook, along with Silva’s own thoughts here.

Prior to Silva, in June, a British researcher received $20,000 for discovering a security flaw on Facebook and was paid out through the bug bounty program. It was set up as a means to allow whitehat hackers to disclose vulnerabilities in the social network to the company in a safe manner so that user data isn’t compromised and the social network as a whole is improved.

But while Facebook says that the $33,500 payout to Silva was its highest to date, there’s really no maximum reward.
(http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution , how he executed ;) )