Facebook rewarded Brazilian computer engineer and security researcher Reginaldo Silva with 33.500 dollars (€ 25.000) for finding and reporting a vulnerability in remote code execution. These security holes are not easy to find nowadays, so this was the biggest amount of money given by Facebook to a security researcher so far.
According to the researcher, it all began in September of 2012 when he found one XML External Entity Expansion (XXE) error in the Drupal component handled by OpenID. OpenID was used by many services, so Silva began testing to see which service was affected.
At first, he thought that Facebook could not be vulnerable until November 2013, when it controlled the service "Forgot your password ”(Forgot your password) found that XXe vulnerability affected the file for over a year facebook.com/OpenID/receiver.php.
Immediately reported his conclusions to Facebook , which repaired the vulnerability four hours after Silva submitted his first report.
XXe security holes are serious because they can be exploited to read sensitive information archives μετά από ζήτηση προς τον web server. However, Silva suspected that he could get even more from the remote code execution flaw. Since Facebook has already fixed the mistake, it couldn't test his theory. However, he wrote to team Facebook's security team by explaining to them how the bug would escalate to a remote execution of the code vulnerability.
After his more detailed report, Facevook saw that the theory was correct and that there was indeed a question about running the remote code. That is why Silva was awarded 33.500 dollars (€ 25.000) for his work.
"As always, we want our payments to reward the hard work of researchers who are willing to do the right thing and report mistakes." explained on Facebook .