A vulnerability was discovered and patched in a third-party service that handles resumes on Facebook’s careers page.
The discovery was worth more than $6,000 in a bounty paid out by Facebook to researcher Mohamed Ramadan of Egypt, who published some details of the vulnerability and exploit on his website.
Ramadan said the vulnerability is a blind XXE (XML External Entity) Out of Band bug. It allowed him to upload a .docx file to the careers page with some additional code that was not vetted by the third-party service.
The careers page accepts resumes only in PDF or .docx formats. Ramadan said he was able to use the 7zip program to extract the XML contents of the .docx file he’d created. He opened a file called [Content_Types].xml and inserted benign code that he uploaded to the page. The code, he said, connected to his python HTTP server 15 minutes later.
Ramadan said that while his attack code was innocuous, a hacker could carry out any number of malicious activities, including a denial-of-service attack on the parsing system, carrying out TCP scans using HTTP external entities, gain unauthorized access to data stored as XML files, carry out denial-of-service attacks on other systems, read system and application files, execute more code, or use connected applications for DDoS attacks.
Since the third-party service, however, was not part of Facebook’s production environment, user data or Facebook source code would not be at risk.
This is not the first time Ramadan has been rewarded with a Facebook bounty. In October 2013, he found vulnerabilities in the Facebook Messenger apps for Android that enable any other app on a device to access the user’s Facebook access token and take over her account, and a similar flaw in the Facebook Pages Manager for Android, an app that allows admins to manage multiple Facebook accounts. That bug also enables other apps to grab a user’s access token.
Facebook has tackled XXE bugs before. In January, it paid out a $33,500 bounty to a Brazilian researcher who found a XXE vulnerability in Facebook’s Forgot Your Password service. He reported the XXE bug and asked Facebook for permission to escalate it to a remote code execution flaw. Facebook quickly patched, but Silva shared his potential exploit with the Facebook security team which decided it merited a major bounty.