Indian hacker finds server-side request forgery (SSRF) vulnerability in Facebook.com and gets $31,500 as bug bounty
A couple of weeks back we had reported how an Indian hacker found a Cross Site Scripting (XSS) vulnerability in the Facebook.com domain and got $20,000 as bug bounty for it. Now another, Indian researcher, Bipin Jitiya has found a server-side request forgery (SSRF) vulnerability in Facebook.com.
Jitiya’s vulnerability is even more critical then Vinoth Kumar’s XSS discovery, so Facebook decided to award him $31,500 as bug bounty
What is the server-side request forgery (SSRF) attack?
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing. In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization’s infrastructure, or to external third-party systems.
Jitiya found that he could launch an SSRF attack against Facebook using the TinyURL. Jitiya described the attack method in his Medium post. However, the Facebook security team rejected this particular vulnerability saying didn’t believe it to be a security vulnerability.
Jitiya pursued his SSRF attack methods on Facebook and found that he could mount a phishing attack using the SSRF. He discovered that he could use the TinyURL to launch an SSRF attack as earlier but to a greater effect.
He could make the Facebook user (victim) give his personal details like login id and password in the TinyURL page he made. Further, the victim’s credentials could be saved in plaintext and can be viewed without much difficulty.
This method is very easy and could be used by potential hackers to glean Facebook users’ information without much sweat. Facebook accepted this vulnerability and decided to award him $1000 as a bug bounty.
Not happy with the $1000 bug bounty, Jitiya persisted with his SSRF attack on Facebook. Only he had to wait for a couple of months before he found out that Facebook.com’s internal end-points were vulnerable to blind SSRF attacks. He has detailed the flaw in the Medium post. Facebook realized that the SSRF vulnerability found by Jitiya was highly critical and awarded him a bug bounty of $30,000.00. It has also patched the vulnerability.