Back in 2011, Facebook launched its bug bounty program, in which it would pay users disclosing security bugs that have previously gone undiscovered.
The company kindly reminded people that it wouldn’t sue them if they gave it a reasonable amount of time to respond to the report before making any information public.
This week, the company announced that it awarded its biggest bug bounty payout ever – $33,550, which went to Reginaldo Silva.
“In November, we were reading through incoming bug reports and came across a claim we wanted to investigate right away: arbitrary file reads,” the company said in an update on the Facebook Bug Bounty Page. “The report was well written and included proof of concept code, so we were able to reproduce the issue easily. After running the proof of concept to verify the issue, we filed an urgent task—triggering notifications to our on-call employees.”
The issue was an XML external entities vulnerability, which could have allowed someone to read arbitrary files on the webserver.
Facebook said it immediately implemented a fix by flipping a flag to cause its XML parsing library to disallow the resolution of external entities.
The company said, “This initial fix was simple enough to fit on one line: libxml_disable_entity_loader(true);.”
You can read Facebook’s full explanation in the post below. A link to Silva’s writeup is within.
Image via Facebook