02 Sep 2018
Facebook bug bounty awarded to Blaklis
On July 30, 2018, Daniel ‘Blaklis’ Le Gall (aka Matsuyama) from SCRT information security reported a $5k bug bounty flaw to Facebook. Blaklis scanned an IP range that belongs to Facebook (199.201.65.0/24) and discovered an unstable Python based service hosted on 199.201.65.36, with the hostname sentryagreements.thefacebook.com, which had its Django framework debug mode still enabled. Within the debugger’s stack trace based on Pickle protocol there was a key available which could have allowed user session hijacking.
Facebook expediently patched the server in question on August 9th and awarded Blaklis $5k for his sophisticated sleuthing.
]]>