This security flaw allowed hackers to remotely hijack the system, causing damage

Facebook has recently resolved a serious security flaw that allowed remote execution of code by attackers. The vulnerability was discovered and reported by a security researcher who found it in one of the Facebook’s servers.

What was the vulnerability?
While scanning the IP range of Facebooks’ servers, the researcher came across a Sentry Service written in Python and Django that seemed to be unstable.

According to the researcher, the application contained a user password reset feature that occasionally crashed. He further said that the Django debug mode wasn’t left enabled on the application which allowed the researcher to see the whole environment when a stack trace occurs. However critical information like passwords and secret keys were not included in the stack trace thus avoiding a massive leakage.

Upon closer inspection, the researcher found out that he was able to see where in the stack the cookie details were handled, as well as find out the location where the application was using Pickle, a Python data serialization protocol that can be vulnerable to manipulation. Besides this, the researcher also found a key in the sentry options list that was not snipped.  

He used all of this information to write a script that would forge malicious cookies with random Pickle content, which also included a payload to override the Sentry cookie. This security flaw allowed hackers to remotely hijack the system, causing damage and enabling them to steal data from the server.

The researcher implemented a 30 sec delay thus avoiding any harm to the application and has made it clear that no user data was contained in the server or exposed due to the bug.

The researcher was awarded $5,000 for his efforts. The company has patched the vulnerability and restarted the service.

Ankush Johar, director at Infosec Ventures, said: “This reveal should be taken as a clear reminder that even the most cyber-aware organisations can be breached via leveraging a single tiny loophole and it also makes it clear that although absolute security is too utopian, crowd-sourced security is the aptest form of cybersecurity.

“What's better than thousands of experienced and skilled hackers finding each and every brick in the wall that too mostly for free unless of course a critical bug is found. Unlike standard security solutions like In-source and Out-source, one does not need to pay for security audits that simply end with a green tick and say all is secure. This pay-for-performance model increases efficiency and effectiveness and that’s why most organisations are shifting to crowd-sourced security models.

“Facebook is the best example of the benefits of crowd-powered security along with Google, Microsoft and even the US DoD, US Army, US Navy and many others. Even after having nearly unlimited resources and possibly the best hackers and developers in-house, they make sure to include bug bounty programs as a key part in their cybersecurity model.

“The meta is shifting away from standard VAPT, it might be better to shift with it instead of lagging behind.”