Free Internet Security Newsletter

Join 10,000+ subscribers who get breaking news and tips on improving their Internet security delivered directly to their inbox

Check email address is correct


Facebook Awards $33.5k in Record Setting Bug Bounty

By Chris Stobing Email | 25 January 2014 at 11:49 pm CET | No Comments

This Friday, a Brazilian security researcher named Reginado Silvia accepted the largest bug bounty ever to be paid out by a company for a single crack, netting  just over $33,500 from none other than Facebook before all was said and done.

Silvia first came across the lucrative loophole back in November, and spent several months in a back and forth between himself and the company verifying the results to be sure that what he had found actually posed a threat to their service and its hundreds of millions of users around the globe. According to security specialists at the website, Silvia had essentially gained access to the “keys to the kingdom”, which would have granted him full and total reign over the nearly 1 billion usernames and passwords currently stored on the website’s servers and backup locations.

“I knew just how I would escalate that attack to a Remote Code Execution bug, I decided to tell the security team what I’d do to escalate my access and trust them to be honest when they tested to see if the attack I had in my mind worked or not.”


The flaw worked by exploiting the OpenID system, which is normally used to create a verification link between services like Gmail and Twitter that enables users to forgo the usual registration process, and use their details from the aforementioned services to login without inputting any extra information for the privilege.

The bug gives anyone who comes across it the unlimited capacity to hurl as much malware as they can possibly throw at masses of users all at once, without having to go through the normal channels of linking each profile together through spam messages or wall posts like most classical schemes might.

A full analysis of the problem can be found here in a Malwarebytes blog writeup penned by Joshua Cannell.

Have something to add to this story? Share it in the comments below

Topics: , , , ,


Chris Stobing

Chris is a technology reporter from San Jose, California, right in the heart of Silicon Valley. Raised around tech from birth, he's found interests in gadgets and the companies that make them for years. When not blogging about tech, he can be found hunting for music, shredding the slopes in South Lake, or whipping up a dish for friends in the kitchen.

leave your comment


Join our free newsletter

Receive our daily brief on Internet security, online anonymity, reviews and exclusive discounts.

VPN Providers

We are a professional review site that receives compensation from the companies whose products we review. We are independently owned and the opinions expressed here are our own.

VPN Providers