Facebook: Fixes bug and pays $20,000 to the person responsible

Sell Database Forum connects professionals to advance database strategies
Post Reply
bitheerani93
Posts: 490
Joined: Sun Dec 15, 2024 3:35 am

Facebook: Fixes bug and pays $20,000 to the person responsible

Post by bitheerani93 »

Security researcher Vinoth Kumar revealed in a note that he received US$20,000 (approximately R$120,000.00 reais) from Facebook, after finding a flaw in the integration of Facebook Login with other websites on the internet.

Hacking users’ logins could easily happen with just one click – The fake website would only need to take one simple step: Convincing the victim to click the “Continue with Facebook” button would give the hacker permission to steal the victim’s account.

Kumar says he contacted Facebook on April 17 to report the details of the security flaw. Three days later, on April 20, the social greece mobile database had already modified the code to inhibit attacks. On May 1, the researcher received his reward, an amount of approximately R$120,000.00 reais, which is more than ten times higher than the average reward for Facebook's program, which was US$1,500 in 2019.

Since the issue has now been fixed, users are no longer at risk of being hacked. There is no record of the flaw being exploited by hackers in real-world attacks.



Understanding the failure:
The “Login with Facebook” or “Continue with Facebook” option allows websites to use the victim’s social network profile to identify their users, eliminating the need for specific registration on the site. This means that users do not need to create a different password or validate an email address, since the victim has done all of this with just one click. The website receives information from Facebook to authorize the login and determine whether the user really exists, but the Facebook account remains separate from the page. The password is also not shared, because authentication is done using an access key.


The researcher also discovered that it was possible to inject code into this information exchange process between websites and Facebook. This way, the instructions would be executed by the browser directly on the social network page, breaking the isolation that should exist between the website and Facebook.

These codes injected into the Facebook page could expose the victim's account's master access key, which should never be shared.



Rewards Program

Facebook has a bounty program for independent researchers to look for flaws in the social network's systems. If they find a vulnerability, it must be reported to a specific Facebook channel and must be kept confidential until a solution is developed so as not to put users at risk.

The amount of the bounty is decided by Facebook itself . In general, the greater the impact or sophistication of the flaw, the higher the bounty. In 2019, the average bounty was $1.5 million.
Top
Post Reply

Return to “Sell Database”