An independent security researcher from Brazil netted the largest ever payout from Facebook's bug bounty program after discovering a remote code execution flaw last November. The bug, which exploited a weakness in the implementation of authentication system OpenID, is also applicable over a wide range of other services. A major find, the bug has prompted discussion over the value of bugs and the appropriate compensation for bug bounty programs.
Inside the vulnerability
Researcher Reginaldo Silva was awarded $33,500 by Facebook for the bug, IDG News Service reported. He first discovered the vulnerability, a XML External Entity Expansion bug, a year earlier in the OpenID component in Drupal. He found other instances of the error in Google's App Engine and Blogger services, which landed him a $500 bounty from the search company. He also sought it out and discovered it in a number of other services before finally landing on a portion of Facebook's code that used OpenID, its "Forgot your password?" function. Through a request to https://www.facebook.com/openid/receiver.php, he could force Facebook to request a URL with malicious XML code and ultimately gain full read access to the company's servers.
"By then I knew I had found the keys to the kingdom," Silva wrote on his blog. "After all, having the ability to read (almost) any file and open arbitrary network connections through the point of view of the Facebook server, and which doesn't go through any kind of proxy was surely something Facebook wanted to avoid at any cost."
Facebook reportedly delivered a fix for the issue within a matter of hours, and the company recently acknowledged Silva's contribution on its blog as an example of its bug bounty program working as intended. The issue has not been exploited, to Facebook's knowledge. Silva did not publish the proof of concept on his blog, noting that the bug was still live in many other implementations of OpenID.
Facebook noted that it was able to fix the error with a single line of code that disallowed the XML parsing library from resolving external entities, libxml_disable_entity_loader(true);. Facebook also explained that such incidents are a great opportunity to revisit code and to perform maintenance tasks like code refactoring.
"Because we want to leave the code in a better state than we found it (rewrite old code, write tests, etc), writing the long term fix is often the step in the lifecycle of a bug that takes the longest," Facebook stated.
How much is a bug worth?
While the $33,500 bounty was substantial, it also sparked an outcry that the amount was insufficient. Silva explained that Facebook increased the amount of the bounty once they confirmed it was a remote code execution attack. He also cited a Bloomberg article in which Ryan McGeehan, who manages Facebook's security incident response unit, said the company would pay out accordingly for a "million-dollar bug." Silva noted that his own payout "didn't even get close to the one-million dollar payout," explaining he pointed to McGeehan's comment "mostly as a joke."
Nonetheless, the fact that Facebook's largest-ever bug bounty topped out at less than $35,000 drew attention at a time when some high-end exploits are selling on the private market for six figures. Last year, for instance, an iOS zero-day flaw sold for half a million dollars. Several commenters on Facebook's bug bounty post dismissed the payout as insubstantial.
"For this severity, rating the payout should have been way more," user Tyler Weiss wrote. "Never mind how easy the fix was."
Regardless of whether the payout was appropriate or not, the reality is that bug bounty programs can become expensive as companies look to compete with the private market. Businesses can avoid costly payouts or even more costly attacks that might be fixed with a single line of code by using tools like static analysis software to examine their applications before they launch. In an increasingly competitive software security environment, such tools can be essential for protecting a product and its users.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.