New Delhi: A security researcher has observed a vulnerability in the down load feature of Facebooks Android app that could be exploited to start remote code execution (RCE) attacks. The social networking giant awarded the researcher $10,000 for obtaining the bug.
Facebook’s Android application utilizes two methods of downloading data files from a group — a crafted-in Android service identified as DownloadManager and a next process named Information Tab.
Security researcher Sayed Abdelhafiz found out a path traversal flaw in the second strategy.
“I found an ACE on Fb for Android that can be triaged through a obtain file from team Information Tab without opening the file,” he said in a submit on Medium.
The vulnerability was in the next process. Whilst security steps were executed on the server facet when uploading the information, it was straightforward to bypass those.
“1st plan that arrived to my mind was to use route traversal to overwrite native libraries which will direct to executing arbitrary code,” Abdelhafiz claimed.
Abdelhafiz stated how the Files Tab flaw enabled the researcher to launch RCE attacks towards a concentrate on device.
The vulnerability in the Information Tab has now been mounted.
In June this 12 months, Ahmedabad-dependent security researcher Bipin Jitiya received Rs 23.8 lakh ($31,500) from Fb for pinpointing a bug in its social networking platform and a 3rd-social gathering enterprise intelligence portal.
Jitiya, 26, determined the web security vulnerability in inside blind Server-Facet Request Forgery (SSRF) in the resource code of a publicly available endpoint, constructed utilizing instruments from MicroStrategy, that executed customized details assortment and articles era.
MicroStrategy has partnered with Fb on facts analytics assignments for various decades. Jitiya noted the bug to the MicroStrategy’s security staff, who acknowledged it, stating the issue has been mitigated.
In May, a 27-calendar year-outdated Indian security researcher Bhavuk Jain grabbed $100,000 (around Rs 75.5 lakh) from Apple for getting a now-patched Zero Day vulnerability in the Indication in with Apple account authentication.
The Zero Day vulnerability could have permitted a hacker to split into an Apple user’s account who log into third-celebration apps like Dropbox, Spotify, Airbnb and Giphy (now acquired by Fb) and additional.
Some parts of this post are sourced from:
www.gadgetsnow.com