Ahmedabad-based security researcher Bipin Jitiya has won Rs 23.8 lakh for reporting bugs in the social networking platform and a third party business intelligence portal. 26-year old Jitiya has found a web security vulnerability in internal blind Server-Side Request Forgery (SSRF) in the source code of publicly accessible endpoint. The bug exists in tools from MicroStrategy, that performed custom data collection and content generation.
Facebook has partnered with MicroStrategy to work on data analytics projects for several years. Jitiya has also reported the issue to MicroStrategy’s security team, who acknowledged it. The company claims that the issue has been fixed.
Jitiya said, “I have always aimed in finding bugs in Facebook because it is the biggest social network on Earth with best-in-class security features in place. This time, they have awarded me with $31,500 for finding the critical bug. I have identified bugs in their systems in the past too.”
In the SSRF attack, cybercriminals can abuse functionality on the server to read or update internal resources. The attacker can cause the server to make a connection back to itself.
Jitiya created a scenario showing how sensitive information leakage can be useful for launching specific attacks like path traversal and Server Side Request Forgery (SSRF). If an attacker can learn the internal IP address of the network, he can easily target systems in the internal network.
He further added, “When I first got this bug on the Facebook server I tried to convert it to RCE (remote code execution) but, unfortunately, they implemented good security measures. However, I made a total of $31500 ($1,000 + $30,000 + $500) from this vulnerability.”