Researcher Alaa Abdulridha, a computer engineering student at the University of the city of Kharkiv, Ukraine, posted on his blog the information that he won a $ 54,800 prize from Facebook’s bounty bug program for discovering and informing a flaw that gave access to the company’s internal network. In December 2020, he had already earned $ 7,500 from Facebook for discovering a vulnerability in the API of a service apparently used by the company’s legal department: the December flaw could have been exploited to reset the password for any account for a web application. used internally by Facebook employees, he said.
In a post on his blog published on Thursday, March 18, 2021, the researcher said that he continued analyzing the same application and once again managed to access it, but this time manipulating the cookie data. He stated that from that access he was able to launch a server-side request forgery attack (SSRF or server side requst forgery) and gain access to Facebook’s internal network. Facebook described this as “an attacker capable of sending HTTP requests to internal systems and reading their responses”.
Abdulridha showed in the post the correspondence he received from Facebook thanking him for his discovery and notifying him of the receipt of the award.
“I was able to scan the ports of the local servers and browse the local applications / web applications that the company uses in its infrastructure,” he said on the blog. “I am sure that this vulnerability in the wrong hands can be escalated to CER and can pose a great risk to the company and its customers.”
The researcher said he obtained access by chaining two vulnerabilities until he reached the point of access to Facebook’s internal network. He said on his blog that this type of access allowed:
- Access any Facebook employee account on the legal department panel
- Access the internal Facebook network (intern.our.facebook.com)
- Perhaps escalate this vulnerability and use it to scan the network and internal servers
“We all know how critical the SSRF is, especially as it does not have an access speed limit,” he said.
With international news agencies