Software companies and social services often rely on bug hunters to discover vulnerabilities in their products. However, sometimes misunderstandings happen, and as in the current case, legal actions may be threatened. Wesley Weinberg is a senior security researcher at Synack.
As reported by The Hacker News, he recently participated in Facebook’s bug bounty program, after one of his friends gave him a hint on a potential vulnerability in sensu.instagram(.)com.
A Remote Code Execution Vulnerability in sensu.instagram(.)com
This is how Weinberg discovered a remote code execution (RCE) vulnerability in the way sensu.instagram(.)com processed session cookies, used to remember user login details.
The RCE bug could happen because of two main issues:
1. The Sensu-Admin web app running on the server contained a hard-coded Ruby secret token.
2. The host running a version of Ruby (3.x) that was susceptible to code execution via the Ruby session cookie.
Here is the interesting part. By exploiting the vulnerability, the researcher was able to force the server to spit out an enormous database containing Instagram and Facebook usernames and passwords of the companies’ employees. Even though the passwords were protected with a bcrypt encryption, Weinberg easily cracked many passwords that were weak.
Probably stunned by this discovery, Weinberg didn’t want to stop, so he continued with his research.
He then investigated other configuration files he discovered on sensu.instagram(.)com’s server and discovered that one of the files contained keys for Amazon Web Services accounts used by the latter to host Instagram’s Sensu setup. His investigation then revealed that the keys listed 82 Amazon s3 unique buckets (storage units). There was nothing wrong with the latest file in the bucket. However, an older version contained another key pair that enabled him to read the contents of all 82 buckets:
Instagram’s source code
SSL certificates and private keys (including for instagram.com and *.instagram.com)
API keys that are used for interacting with other services
Images uploaded by Instagram users
Static content from the instagram.com website
Email server credentials
iOS/Android app signing keys
Logically, Weinberg went on reporting his key finding to Facebook’s security team. However, Facebook was more concerned with the fact that the researcher accessed employees and users’ private data than with the vulnerability itself. Not only Facebook didn’t reward him for his work but they also disqualified him from their bug bounty program.
Here is the official statement given by Facebook:
We are strong advocates of the security researcher community and have built positive relationships with thousands of people through our bug bounty program. These interactions must include trust, however, and that includes reporting the details of bugs that are found and not using them to access private information in an unauthorized manner. In this case, the researcher intentionally withheld bugs and information from our team and went far beyond the guidelines of our program to pull private, non-user data from internal systems.
We paid him for his initial bug report based on the quality, even though he was not the first to report it, but we didn’t pay for the subsequent information that he had withheld. At no point did we say he could not publish his findings — we asked that he refrain from disclosing the non-public information he accessed in violation of our program guidelines. We remain firmly committed to paying for high quality research and helping the community learn from researchers’ hard work.
So, which side are you on?