Two vulnerabilities could be chained to lead to server-side request forgery
A security researcher has been awarded a $55,000 bug bounty after they chained a pair of vulnerabilities in an unnamed third-party application to achieve server-side request forgery (SSRF) and compromise Facebook’s internal network.
Alaa Abdulridha demonstrated how authentication cookies used by the application could be manipulated to compromise accounts belonging to Facebook employees, before exploiting a flaw in the application’s form-building feature to access intern.our.facebook.com.
A few days previously, he also found an “unsecured API which allowed [him] to change the password of any admin account with no user interaction”, again potentially leading to the takeover of accounts registered by Facebook employees, as outlined in the first of two blog posts documenting the findings.
Abdulridha told The Daily Swig that he considered all three vulnerabilities to have low complexity but high impact.
The discoveries earned him a total of $54,800 in bug bounty payouts, with the SSRF chain alone – documented in a second blog post – netting him $47,000.
In awarding the cybersecurity engineer this bumper bounty, Facebook’s security team acknowledged that the SSRF vulnerability “could have allowed a highly sophisticated attacker to perform HTTP requests into our network and read our responses”.
Changing the password
Abdulridha targeted the same subdomain – https://legal.tapprd.thefacebook.com – with a 2019 RCE exploit that netted another researcher $1,000.
After finding a way to bypass a redirect to the single sign-on (SSO) page, fuzzing on a ‘forgot password’ endpoint exposed a ‘save password’ endpoint that was “expecting a POST request”.
Using Burp Intruder, he then tried a list of email permutations in a bid to hit upon an admin password and generated “the same error results plus one other result” – a 302 redirect to the login page.
YOU MAY ALSO LIKE GitHub awards bug bounty hunter $25,000 for Actions secrets theft report
The successful email and password combination allowed him access to the admin account.
The researcher bolstered his discovery by writing “a quick and simple” python script that, if incorporating the email and new password, changes the password.
The application also used ASPXAUTH cookies, which he suspected might be susceptible to the same manipulation he had previously used successfully on other bug bounty programs, because most applications using the authentication cookie include only the email or username and expiration time in the encryption keys.
After a Google search uncovered another website that used the application and the same encryption keys, the researcher successfully registered with a Facebook admin username, “intercepted the request and took the ASPXAUTH and replaced it with the Facebook expired ASPXAUTH”.
Thus, an account used by a Facebook employee could be compromised, proving he could “login using any admin account just by knowing the username”.
The Facebook bug bounty team awarded $55k for the two vulnerabilities
Abdulridha recommends that developers using ASP.net should ensure that ASPXAUTH cookies are stored in the database, validated by the application, and contain more than the username for further validation. Encryption and decryption keys should be changed from their default settings.
Canary token in the coalmine
The researcher suspected that a critical SSRF was likely present in the application’s form-designing feature, which had “an option to call an external API called ‘API Trigger’, for example to call graph.facebook.com by using the access token of your Facebook account”.
By surfacing Facebook’s canary token, he validated SSRF and the threat of arbitrary command execution and to data “either in the vulnerable application itself or on other back-end systems” in Facebook’s internal network “that the application can communicate with”.
This might also “result in malicious onward attacks that appear to originate from the organization hosting the vulnerable application, leading to potential legal liabilities and reputational damage,” he added.
Abdulridha reported the first vulnerability on August 28, 2020, and it was fixed on October 2. A report for the other two flaws was submitted on September 9, and the bug pairs were partially mitigated on October 26 and fully fixed on February 25, 2021.
Facebook told the researcher that it had found no evidence of abuse.
Asked to comment further by The Daily Swig, Abdulridha simply urged: “Bug hunters around the world – never give up on the target.”