Facebook rewarded the Brazilian computer engineer and researcher security Κον Reginaldo Silva με 33.500 δολάρια (€ 25.000) για την εύρεση και την υποβολή έκθεσης για μια vulnerability σε απομακρυσμένη εκτέλεση code. These security holes are not easy to find these days, and so this was the largest amount of money given by Facebook to a security researcher so far.
According to the researcher, it all began in September of 2012 when he found one XML External Entity Expansion (XXE) error στο συστατικό Drupal που χειρίζεται το OpenID. Το OpenID χρησιμοποιόταν από πολλά services (services), and so Silva began running tests to determine which service was affected.
At first, he thought that Facebook could not be vulnerable until November 2013, when it controlled the service "Forgot your password ”(Forgot your password) found that XXe vulnerability affected the file for over a year facebook.com/OpenID/receiver.php.
Immediately reported his conclusions to Facebook , which repaired the vulnerability four hours after Silva submitted his first report.
XXe security holes are serious because they can be used to read sensitive files upon request to the web server. However, Silva suspected that he could get even more out of the flaw in the execution of the remote code. Since Facebook has already corrected the mistake, it could not test its theory. However, he wrote to the Facebook security team explaining how the error would escalate into a remote execution of the code vulnerability.
After his more detailed report, Facevook saw that the theory was correct and that there was indeed a question about running the remote code. That is why Silva was awarded 33.500 dollars (€ 25.000) for his work.
"As always, we want our payments to reward the hard work of researchers who are willing to do the right thing and report mistakes." explained on Facebook .
