14 DAY TRIAL // Facebook has rewarded Brazilian computer engineer and security researcher Reginaldo Silva with $33,500 (€25,000) for finding and reporting a remote code execution vulnerability. Such security holes are not easy to find these days, so this has been the largest amount of money given by Facebook to a security researcher so far.
According to the researcher, it all started in September 2012 when he found an XML External Entity Expansion (XXE) bug in the Drupal component that handles OpenID. Since OpenID had been used by many services, Silva started performing tests to see which ones had been impacted.
Initially, he thought Facebook wasn’t vulnerable at all, until one day in November 2013 when he was testing the social media service’s “Forgot your password” functionality.
He found that the XXE vulnerability he identified over a year before had been affecting facebook.com/openid/receiver.php. He immediately reported his findings to Facebook, which rolled out a short-term fix less than four hours after Silva submitted his first report.
XXE security holes are serious, because they can be exploited to read arbitrary files on an impacted web server. However, Silva suspected that he could take it even further and leverage the flaw for remote code execution.
Since Facebook had already rolled out a fix, he couldn’t test his theory. However, he wrote back to the Facebook security team explaining to them how he would have escalated the bug to a remote code execution vulnerability.
After analyzing his report, Facebook determined that his attack theory was correct and that it really was a remote code execution issue. That is why Silva has been rewarded with $33,500 (€25,000) for his work.
“We knew we wanted to pay out a lot because of the severity of the issue, so we decided to average the payout recommendations across a group of our program administrators. As always, we design our payouts to reward the hard work of researchers who are already inclined to do the right thing and report bugs to the affected vendors,” Facebook explained.