Update: A Facebook representative have provided the following statement regarding this article:
We applaud George Deglin who brought this issue to our attention for responsibly reporting the bug to our White Hat Program. We worked with him to make sure we understood the full scope of the vulnerability, which allowed us to fix it and ensure no damage was done. To be clear, this does not represent a hack of Facebook or its databases, but an external server used to host non-confidential sample code. No user data or Facebook production code was vulnerable, and we have since changed our policies to prevent situations like these from occurring in the future. Due to the responsible reporting of this issue to Facebook, we have no evidence of abuse stemming from this vulnerability. We have provided a bounty to thank him for his contribution to Facebook Security.
Original story: Just how secure is Facebook, Google, or any other web service we use daily? Do we automatically assume that the bigger these companies are, the more untouchable they must be? Unfortunately, that’s not the case at all, as Sony and countless other companies have proven lately in severe high-profile security breaches. To that end, VentureBeat sat down with George Deglin, a cofounder and lead programmer of Hiptic Games, who moonlights as a security researcher for Fortune 500 companies. Deglin has been in the news previously for discovering various security holes between Yelp and Facebook that put user data at risk.
Lately, Deglin has been partaking in Facebook’s bug bounty reward program, in which anyone who discovers issues or security weaknesses can report them for a minimum reward of $500. The more severe the security risk or bug is, the higher the reward. Now Deglin believes he has stumbled upon the most severe security hole he’s ever happened across — and he decided to share the story. The issue has already been reported and fixed, as per the terms of Facebook’s Responsible Disclosure Policy.
VentureBeat: Can you start from the beginning and explain how you came across the issue?
George Deglin: Sure. I’ll start out with exactly what it was. Basically, a team at Facebook — not the primary engineering team, but the team that manages helping developers out — rented some web hosting space. Because, I guess, for some reason they couldn’t just use Facebook’s servers because of bureaucracy or something like that. On this web hosting space, they put up a bunch of sample code and little testing things that they were doing. I’m guessing that some of them…this team probably had a lot of new members, who were learning about Facebook’s API. Basically, it was just a mish-mash of all kinds of stuff they had written that hadn’t gone through Facebook’s normal engineering vetting process. One of the things that they had uploaded to this server was a zip file containing some sample source code. I stumbled across the server. …
VentureBeat: What were you doing to find it?
Deglin: I’ll get into that a little bit later. I just wanted to tell you about the vulnerability and then get to the details of how I discovered it. But, yeah, essentially they had uploaded a zip file to the server. I was able to find the path of the zip file. I downloaded it, and I looked through the files. One of the files contained several usernames and passwords. I took those usernames and passwords, and I went through them, and eventually, one of them worked as an administration login for the server itself. Once I had that, I was like … I could do pretty much anything. Change the files any way I wanted. I could look through the database. That’s the thing I did next. I said, okay, what are they running on this server? I looked at the database and realized that one of the scripts that they had running on it was a little signup form that they use for a sample. This signup form had a password field. All the passwords and e-mails that people were putting in this signup form were getting saved to the database in plain text. I was now able to see them.
VentureBeat: As the admin?
VentureBeat: So you only had access to these plain text usernames and e-mails through the admin access that you’d found in that file?
VentureBeat: Using that information, were you able to do anything on Facebook itself?
Deglin: At that point, I decided I should probably not try to go any further from there. I was at the point where…I felt that it would be pretty unethical for me to then try to hack into an employee’s Facebook account. So I never tried any of those passwords. But I can say that the passwords looked legitimate. It wasn’t just something like “password123” that someone would normally put into a test form. These passwords looked pretty clearly like someone’s primary, the password they would use for something important.
Anecdotally, I know that if you do get access to a Facebook employee’s account, they do have certain features available to them to do things that ordinary people should not be able to do. So it is possible that I would have been able to see private data that I wasn’t supposed to be able to see. It’s quite likely that I would have been able to get access to their source code management tool and steal code from them, with a little bit of luck. But all of those things I decided would probably cross a line, as opposed to just finding vulnerabilities.
VentureBeat: From there, how did you submit it to the Facebook programmers?
Deglin: Facebook has a website where security researchers, or anyone who finds a vulnerability, can submit reports of security holes that they’ve found. They also award a cash prize depending on the scenario. So immediately after I found it, I submitted it. And I’ve submitted stuff to them before. Usually it takes them a couple of days to respond. This time, they responded to it within a couple of hours. And this was around 1 in the morning. They fixed it overnight, and then, in the morning, they sent me an e-mail saying it was fixed, also saying that they’d pay me a few thousand dollars for finding it.
VentureBeat: Can you tell me what you’ve been paid before? The amount you’ve been paid for a couple of the ones before and what that was for?
Deglin: Their minimum is generally $500. They’ve awarded the $500 to me a couple of times for finding pretty low-severity vulnerabilities. Stuff that an attacker might be able to use as part of a phishing attack, for example. A couple times I’ve also been awarded $1,500 to $2,000. Those were for vulnerabilities that would make it easy for me to access sensitive information about people that I shouldn’t be able to see.
VentureBeat: Like credit card information?
Deglin: No, no. They’d probably give me a lot more if I found something like that. [Laughs] No, this was being able to find things like the e-mail of a Facebook user who didn’t want to share their e-mail.
VentureBeat: I used to have my Facebook locked down, and now it’s like I don’t even know how to secure it anymore.
Deglin: They change it all the time. Just recently they put in privacy features on the profile picture, so if you don’t want non-friends to see your profile picture, I think you can do that now. But, yeah, it changes all the time. Even people that work there, I know, don’t understand all the privacy settings. It’s just so complicated.
VentureBeat: So how much will this security hole be worth?
Deglin: I actually expected it to be a little bit more, considering that the vulnerability let me get a Facebook employee’s password. That seems really severe to me. Like on the range of the worst possible vulnerabilities a website could have, this is pretty close to the top.
VentureBeat: Going back to why you were looking in the first place….
Deglin: Yeah. Well, the backstory on how I found it is…I had a little bit of free time, and periodically I just look at what’s new on Facebook, as far as vulnerabilities. There’s a lot of people that do the kind of stuff that I do, and Facebook in general is pretty good about this. It’s not like I can just keep finding vulnerabilities forever. As they introduce new features, new vulnerabilities get opened up, and then they get found and closed down.
Every once in a while, I check and see if there’s anything new here. Did they make a recent acquisition? Did they introduce a new feature? Did they do this or that? Because that’s the window of opportunity to find security holes. In this case, I saw…in their documentation they had this new website where they put up some samples. That was interesting. I went to it, and I said, okay, this is clearly a Facebook website, but it’s also clearly not managed by the same people who design the normal Facebook.com experience. Whenever you see something like that, that’s a really fresh, good target. You know it probably hasn’t gone through the regular vetting process. And sure enough, as compared to normal Facebook.com engineers, who are always very careful and go through code reviews, this website was developed by an amateur who did not go through a careful review process. I found four other vulnerabilities in it before I eventually found this one. I was just reporting them every half hour as I found them. Once I found this one, I was just like, game over.
I could go in and, if I wanted to, I could change all the code so that all the developers who were working with this website could see something else. Or I could change the code so there was a password login, so everyone who went there would think, oh, I should type in my Facebook password here. … There’s so much. It’s such a bad thing. I essentially had the ability to take complete control over a website that Facebook owned and where they sent developers to look at stuff.
VentureBeat: Did you get all the way to the point where you thought, “Okay, I should stop, before submitting that one”? Or did you submit it and then keep messing with it?
Deglin: The minute I had access to the server, I submitted it right away.
VentureBeat: Did you submit it right away in case someone else might find it first — and prevent you from receiving the reward?
Deglin: Um…. No, it was more a part of just being responsible about it. I think it would have been pretty sketchy if I spent a couple of days poking around before telling them. That would be pretty unethical. I want to give them the opportunity to see it as soon as possible so that they can fix it and nobody malicious can find it. And then also, I don’t want them to see me as a potentially malicious person. The reason I do this is because I want to help them out. It’s not even about the money, because in the grand scheme of things, it’s not that much. I do it because I enjoy finding these vulnerabilities. I’m concerned for people that use these websites that have security holes, and I want to make sure companies are more careful about this stuff and can fix it as soon as problems are discovered.
VentureBeat: The things you’re doing with Hiptic, is it all pretty secure? Or do you think that there’s another George Deglin who could come along and mess with your stuff?
Deglin: [Laughs] Everything that I program, I make sure to be really careful about it. I have the advantage of really understanding this security stuff, because I’ve been doing it for a while on the side. In general, I don’t make the kind of mistakes that a lot of other engineers make. And on top of that…it’s just always on my mind. Probably more so than for most people.
Facebook Bug Bounty poster from Defcon 2012
VB's research team is studying web-personalization... Chime in here, and we’ll share the results.