In the past few days or so many big bug bounties have been uncovered by the Indian researchers like a $100k bounty from apple and now an SSRF vulnerability has been revealed on Facebook.
In a Medium post, Bipin Jitiya took a deep dive into his first-ever bug bounty payouts to demonstrate how researchers can combine “secure code review, enumeration, and scripting knowledge to find a critical vulnerability”.
A subdomain in which belongs to MicroStrategy which has partnered with Facebook on data analytics projects for several years paid out another $500 for the same flaw after Bipin found the same vulnerability in the MicroStrategy’s demo portal.
How Bipin exploited the SSRF
Firstly, after finding a subdomain that was linked with MicroStrategy SDK Bipin found a session parameter “shortURL” task which processes a short URL and does not check for a valid authentication session. After a while, he found that the URL shortener could leak sensitive info. about the server.
So he chained both of the vulnerabilities and submitted them to Facebook, Later he got a mail from Facebook that they could not reproduce this bug based on the POC’s moreover he realized that the bug had been accidentally patched in the recent updates.
Another Blind SSRF In MicroStrategy’s SDK
After a few days of research, Bipin found another Blind SSRF in MicroStrategy web SDK. This time it was a “validateServerURL” function that will internally send a GET request to the provided URL. After finding this bug Jitiya immediately reported it to Facebook and Boom! this time he got the bounty worth $30k after the Facebook confirmed that this bug could be reproduced.
Bipin told The Daily Swig that he also “tried to convert SSRF to RCE using a gopher wrapper, but unfortunately, the gopher wrapper was disabled on the Facebook server.”
The $1,000 reward issued via Facebook’s Bugcrowd program arose from Jitiya’s enumeration of internal Facebook infrastructure behind a firewalled environment, after discovering that a ‘shortURL’ task failed to check for a valid authentication session, giving unauthenticated attackers a way in.
Facebook initially “didn’t believe it to be a security vulnerability”, but relented after the researcher outlined attack scenarios enabled by the flaw, including phishing and reflected cross-site scripting (XSS) attacks.