Facebook rewarded $33,500 as bounty for Remote Code Execution
Facebook rewarded $33,500 as bounty for Remote Code Execution, Facebook bounty reward, facebook hack, hacking facebook, Reginaldo Silva bounty, hacking facebook by Reginaldo Silva, site of Reginaldo Silva
Silva have reported a Remote Code Execution (RCE) vulnerability to Facebook. Vulnerability allows the attacker to see the any files from the server and also to execute any malicious code on the server.
Earlier Silva had discovered XML External Entity Expansion bug in the Drupal that handled OpenID. With the same exploit he found Google's App Engine and Blogger also gets effected. This bug is not much effective to the Google server, but then also Google rewarded $500 as a bounty to him.
After this, Silva learned that Facebook also use OpenID technology on "Forget Password" Page. So he tested his exploit on it, and he managed to discover XXE bug in Facebook that allowed him to see the "etc/password" files from the server.
He have reported a bug to facebook, and Facebook security team responded him quickly and fixed the bug with in 3.5 hours.
After getting fixing the report from Facebook, he asked to managed his access to further more. Silva test the vulnerability again and reported that the issue is fixed. For this bug report Facebook awarded reward of $33,500 to Silva, which is the highest reward ever given by Facebook to any researcher.