Hacker Won $31K Bounty For Reporting Numerous Facebook Bugs primeccsc, primeccme
A security researcher caught numerous vulnerabilities affecting the Facebook platform. For reporting all these Facebook bugs, the hacker won a total of $31500 as bounty.
Sharing the details in a Medium post , Bipin Jitiya revealed about some Facebook bugs that he found earlier this year. As elaborated, the security researcher caught multiple SSRF vulnerabilities. Combining the bugs could give rise to a chain reaction adversely affecting the platform.
Briefly, the researcher first found the absence of authentication session in the “shortURL” task (the one processing shortened URLs). Hence, anyone could access this service without authentication.
However, Facebook didn’t deem it a vulnerability.
Thus, the researcher kept looking for more issues and found possible attack scenarios. He then observed that it became possible to conduct phishing attacks via SSRF. Moreover, he also observed that he could submit GET requests to internal and external networks.
After that, he started scanning the source code of MicroStrategy Web SDK hosted on Facebook. He then found another SSRF and established that coupling this vulnerability with another bug could drastically enhance the impact.
Specifically, he caught a vulnerability in Facebook URL shortener (https://fb.me/) that could leak sensitive data. As stated in the post,
This vulnerability discloses internal HTTP GET query. This vulnerability discloses the information about the internal path to the logs folder, other file paths, internal system queries that use fetch data, internal IP address, internal ID, configuration related information, private documents etc without any authentication.
Hence, combining the two bugs (the blind SSRF in MicroStrategy web SDK and the information leak bug in Facebook URL shortener), could lead to path traversal and SSRF attacks on the internal infrastructure behind a firewalled environment.
Lastly, he also found the SSRF vulnerability in the MicroStrategy demo portal as well.
Upon discovering the bugs in Facebook platform, the researcher contacted the tech giant. However, it took him a while to convince Facebook regarding the impact of the flaw.
Fortunately, he succeeded in doing so, and won a $1000 bounty for the first SSRF along, and a hefty $30000 bounty for reporting the combined the combined impact of the blind SSRF with the data leak flaw.
Moreover, he also won a $500 bounty from MicroStrategy for reporting the flaw in the demo portal.
In all, for all his discoveries of this series, he earned a total of $31500 as bug bounty.
Technical details about all the bugs he found as well as the PoC is available in his blog post.