Researcher gains access to Facebook's internal network via vulnerability


A security researcher has managed to gain access to Facebook's internal network by combining various vulnerabilities. The social media company has now fixed the problems and rewarded researcher Alaa Abdulridha with a reward of $54,800 for his bug report.


Abdulridha had previously found a vulnerability in an internal Facebook application that allowed him to access the application and the admin panel . This application is used by the legal department within Facebook. Facebook fixed this problem. For his second attack, the researcher turned to this application again.


This time, however, he used a different way of access, manipulating an ASPXAUTH cookie. These cookies are used to determine whether the user has been authenticated. Abdulridha found another website using the same application. He registered an account there with the same username as the administrator of the application that Facebook uses.


He then intercepted the request to the application on the other website and replaced the ASPXAUTH cookie with the Facebook application's expired ASPXAUTH cookie. This gave him access to the admin panel of the Facebook application again. "I could log in to any administrator account just by knowing the username," said the researcher.


For the second part of the attack, Abdulridha used an SSRF vulnerability. Server-side request forgery (SSRF) is a vulnerability where an attacker could exploit a server's functionality to gain access to resources that he would otherwise not have direct access to. In this case, the Facebook application was found to be vulnerable to SSRF, which allowed the researcher to gain access to Facebook's internal network.


Abdulridha reported the problems on September 9. On October 26, the social media company asked to open a new report, after which mitigations were implemented the same day. On February 25 of this year, Facebook came up with a full solution and rewarded the researcher for his bug report.


In conclusion, the researcher also has a 'golden tip' for bug hunters. "When you see ASPXAUTH try to get the cookies from another website using the same application and test the same method I used: Create new ASPXAUTH cookies from the other website and test if these cookies work on the attacked website. "

Previous Post Next Post