Who says you have to start small?
A security researcher in India has netted $31,500 in bug bounty winnings after finding several security flaws in Facebook and a third-party business intelligence portal.
In a Medium post published yesterday (May 31), Bipin Jitiya took a deep dive into his first ever bug bounty payouts in order to demonstrate how researchers can combine “secure code review, enumeration, and scripting knowledge to find a critical vulnerability”.
The pen tester and application developer, who earned three rewards for two of four discoveries, earned a whopping $30,000 for an internal blind SSRF in the source code of a publicly accessible endpoint, built using tools from MicroStrategy, that performed custom data collection and content generation.
MicroStrategy, which has partnered with Facebook on data analytics projects for several years, paid out another $500 for the same flaw after Jitiya also found the vulnerability present in the platform’s demo portal.
While $30,000 is nothing to be sniffed at, another arguably more interesting find did not elicit a payout from the social media giant.
Jitiya told The Daily Swig that another blind SSRF that he previously discovered in the MicroStrategy web SDK source code, which allowed attackers to submit GET requests to internal and external systems, “alone had a medium impact”.
When “chained by an information leak” that he later discovered, however, “its impact was greatly increased”, he added.
Jitiya, an information security analyst at Net Square Solutions, found that an URL shortener used internally by Facebook and externally by users could leak sensitive information about the server.
This included “information about the internal path to the logs folder, other file paths, internal system queries that use fetch data, internal IP address, internal ID, configuration related information, private documents etc without any authentication.
“By exploiting this vulnerability, it would be possible for an attacker to enumerate valid internal URLs present in the system.”
“In the worst case, if an attacker finds an internal URL that was used to update or delete the server's internal files, then attacker can misuse that information by chaining with blind SSRF to execute this URL,” he told The Daily Swig.
“There is also the possibility of deleting any sensitive files in the same case, such as log files, configuration files… or even in the worst case some controller files such as login.php, profile.php etc.”
Although Jitiya noticed that the blind SSRF bug had been remedied, Facebook said this was not in response to his report, and “could have easily been a side effect of a recently added feature, an unrelated bug fix, or an infrastructure/configuration change”.
Facebook declined to pay out “In the absence of a working POC clearly showing an internal SSRF”.
By contrast, the $30,000 payout was sanctioned because “it was possible to perform blind SSRF to Facebook-internal endpoints”.
Jitiya told The Daily Swig that he also “tried to convert SSRF to RCE using a gopher wrapper, but unfortunately the gopher wrapper was disabled on the Facebook server.”
The $1,000 reward issued via Facebook’s Bugcrowd program arose from Jitiya’s enumeration of internal Facebook infrastructure behind a firewalled environment, after discovering that a ‘shortURL’ task failed to check for a valid authentication session, giving unauthenticated attackers a way in.
Facebook initially “didn’t believe it to be a security vulnerability”, but relented after the researcher outlined attack scenarios enabled by the flaw, including phishing and reflected cross-site scripting (XSS) attacks.