New Delhi, October 6
A safety researcher has discovered a vulnerability within the obtain characteristic of Facebooks Android app that might be exploited to launch distant code execution (RCE) assaults. The social networking big awarded the researcher $10,000 for locating the bug.
Fb’s Android app makes use of two strategies of downloading information from a bunch — a built-in Android service referred to as DownloadManager and a second methodology referred to as Recordsdata Tab.
Safety researcher Sayed Abdelhafiz found a path traversal flaw within the second methodology.
“I found an ACE on Fb for Android that may be triaged by a obtain file from group Recordsdata Tab with out opening the file,” he mentioned in a put up on Medium.
The vulnerability was within the second methodology. Whereas safety measures have been carried out on the server-side when importing the information, it was straightforward to bypass these.
“The primary concept that got here to my thoughts was to make use of path traversal to overwrite native libraries which can result in executing arbitrary code,” Abdelhafiz mentioned.
Abdelhafiz defined how the Recordsdata Tab flaw enabled the researcher to launch RCE assaults towards a goal system.
The vulnerability within the Recordsdata Tab has now been fastened.
In June this 12 months, Ahmedabad-based safety researcher Bipin Jitiya received Rs 23.eight lakh ($31,500) from Fb for figuring out a bug in its social networking platform and a third-party enterprise intelligence portal.
Jitiya, 26, recognized the online safety vulnerability in inside blind Server-Aspect Request Forgery (SSRF) within the supply code of a publicly accessible endpoint, constructed utilizing instruments from MicroStrategy, that carried out customized knowledge assortment and content material era.
MicroStrategy has partnered with Fb on knowledge analytics initiatives for a number of years. Jitiya reported the bug to the MicroStrategy’s safety staff, who acknowledged it, saying the problem has been mitigated.
In Might, a 27-year-old Indian safety researcher Bhavuk Jain grabbed $100,000 (over Rs 75.5 lakh) from Apple for locating a now-patched Zero-Day vulnerability within the Register with Apple account authentication.
The Zero-Day vulnerability may have allowed a hacker to interrupt into an Apple consumer’s account who log into third-party apps like Dropbox, Spotify, Airbnb and Giphy (now acquired by Fb) and extra.
Supply from www.tribuneindia.com