Facebook recently disclosed a serious security flaw in the company’s servers which allowed for remote code execution. Security researcher Daniel Blaklis Le Gall from SCRT information security has been awarded $5000 for discovering the bug. The researcher said that the bug was discovered on one of Facebook’s servers.
How the did the Researcher find the issue ?
When the researcher scanned the IP range of Facebooks’ servers he came across a Sentry Service written in Python and Django which looked vulnerable.
“The application appeared to be unstable regarding the user password reset feature” the researcher said. “Django debug mode was not turned off, which consequently prints the whole environment when a stack trace occurs. However, Django snips critical data (passwords, secrets, key…).
When the security researcher dug deeper into the issue he also found a binary protocol used to unserialize Python Object Structures. Although the secret key was not available in the Stack trace. Blaklis has obtained the key by using the Sentry list.
Where is the vulnerability ??
According to the application the key was used for session signing, and if compromised it can be used to hjack user’s session. The researcher was able to create a script that forges malicious cookies with arbitrary Pickle content which also included a payload to override Sentry cookies.
The Security researcher has just implemented a 30-sec delay instead of causing any harm to the application, the attempt was proven to be a success making the server vulnerable to the attacks and user’s data could be exposed as a result. The researcher reported his findings on July 30th.
Facebook swiftly took down the server until a patch was released. Blaklis was awarded $5,000 for his efforts. The company has patched the vulnerability and restarted the service.
Take your time to comment on this article.