This Friday, a Brazilian security researcher named Reginado Silvia accepted the largest bug bounty ever to be paid out by a company for a single crack, netting just over $33,500 from none other than Facebook before all was said and done.
Silvia first came across the lucrative loophole back in November, and spent several months in a back and forth between himself and the company verifying the results to be sure that what he had found actually posed a threat to their service and its hundreds of millions of users around the globe. According to security specialists at the website, Silvia had essentially gained access to the “keys to the kingdom”, which would have granted him full and total reign over the nearly 1 billion usernames and passwords currently stored on the website’s servers and backup locations.
“I knew just how I would escalate that attack to a Remote Code Execution bug, I decided to tell the security team what I’d do to escalate my access and trust them to be honest when they tested to see if the attack I had in my mind worked or not.”
The flaw worked by exploiting the OpenID system, which is normally used to create a verification link between services like Gmail and Twitter that enables users to forgo the usual registration process, and use their details from the aforementioned services to login without inputting any extra information for the privilege.
The bug gives anyone who comes across it the unlimited capacity to hurl as much malware as they can possibly throw at masses of users all at once, without having to go through the normal channels of linking each profile together through spam messages or wall posts like most classical schemes might.
A full analysis of the problem can be found here in a Malwarebytes blog writeup penned by Joshua Cannell.