Hacker found a way to read files on Facebook servers
Bug Bounty programs are bearing fruit to various companies, including the largest. Most often, hackers find quite easy to exploit vulnerabilities like XSS and CSRF, but there are interesting ones that are quite rare. One such is the recent example of reading files on Facebook servers, found by Josip Franjković .
The weak spot on Facebook was the file upload form located on the resume download page . Trying to download files with potentially dangerous extensions like .php, as well as files with names like "/ etc / passwd" and "file: /// etc / passwd", Josip received only the path to these files, as well as their contents, after conversion to Base64 .
Continuing to download various files, he noticed that the downloaded archive with the .zip extension is unpacked and all the same content in Base64 and the path to the unpacked files are returned. After that, Josip created a symlink on his computer to the file “/ etc / passwd” ( ln -s / etc / passwd link ), packed it in ZIP (zip --symlinks test.zip link) and tried to upload it to the server as a summary . The response from the server was the contents of the file "/ etc / passwd" located on the Facebook server. In this way, he could read any file on the server.
The contents of the file "/ etc / passwd" on the server
To fix the vulnerability, Facebook took less than 12 hours. The reward for Frankovich, under the "white" hacker reward program, was a payment of $ 5500.
UPDATE # 1:In his blog, the author said that the files were not read on a Facebook server, but on a third-party server that provides resume verification. It was because of this that the payout was so small.