21 C
Jaipur
Friday, October 30, 2020

Facebook app: Facebook awards $10,000 for finding bug in its Android app – Latest News

Must read

How To Use pulseaudio-dlna To Stream Audio From Ubuntu 20.10 To Chromecast Devices

pulseaudio-dlna is a streaming server which allows streaming audio from your Linux computer to a Chromecast or DLNA / UPNP device in the same...

Nokia cuts full-year profit forecast, announces new strategy – Latest News

STOCKHOLM/HELSINKI: Nokia cut its full-year profit forecast even as the telecom network equipment maker's quarterly underlying profit met expectations in its first earnings under...

payments technology: JPMorgan backs UK payments technology company Icon Solutions – Latest News

JPMorgan Chase & Co has made a strategic investment in Icon Solutions, a UK-based company that advises and provides technology to banks to help...

tcl 4k tv: TCL expands its smart TV lineup with TVP615 Android TV, price starts at Rs 23,999

Expanding its smart TV lineup, consumer electronics brand TCL has launched its latest 4K UHD TV -- TVP615 in India. The TV runs

New Delhi: A security researcher has found a vulnerability in the download feature of Facebooks Android app that could be exploited to launch remote code execution (RCE) attacks. The social networking giant awarded the researcher $10,000 for finding the bug.

Facebook’s Android app uses two methods of downloading files from a group — a built-in Android service called DownloadManager and a second method called Files Tab.

Security researcher Sayed Abdelhafiz discovered a path traversal flaw in the second method.

“I discovered an ACE on Facebook for Android that can be triaged through a download file from group Files Tab without opening the file,” he said in a post on Medium.

The vulnerability was in the second method. While security measures were implemented on the server side when uploading the files, it was easy to bypass those.

“First idea that came to my mind was to use path traversal to overwrite native libraries which will lead to executing arbitrary code,” Abdelhafiz said.

Abdelhafiz explained how the Files Tab flaw enabled the researcher to launch RCE attacks against a target device.

The vulnerability in the Files Tab has now been fixed.

In June this year, Ahmedabad-based security researcher Bipin Jitiya won Rs 23.8 lakh ($31,500) from Facebook for identifying a bug in its social networking platform and a third-party business intelligence portal.

Jitiya, 26, identified the web security vulnerability in internal blind Server-Side Request Forgery (SSRF) in the source code of a publicly accessible endpoint, built using tools from MicroStrategy, that performed custom data collection and content generation.

MicroStrategy has partnered with Facebook on data analytics projects for several years. Jitiya reported the bug to the MicroStrategy’s security team, who acknowledged it, saying the issue has been mitigated.

In May, a 27-year-old Indian security researcher Bhavuk Jain grabbed $100,000 (over Rs 75.5 lakh) from Apple for discovering a now-patched Zero Day vulnerability in the Sign in with Apple account authentication.

The Zero Day vulnerability could have allowed a hacker to break into an Apple user’s account who log into third-party apps like Dropbox, Spotify, Airbnb and Giphy (now acquired by Facebook) and more.

Source link

- Advertisement -

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest article

How To Use pulseaudio-dlna To Stream Audio From Ubuntu 20.10 To Chromecast Devices

pulseaudio-dlna is a streaming server which allows streaming audio from your Linux computer to a Chromecast or DLNA / UPNP device in the same...

Nokia cuts full-year profit forecast, announces new strategy – Latest News

STOCKHOLM/HELSINKI: Nokia cut its full-year profit forecast even as the telecom network equipment maker's quarterly underlying profit met expectations in its first earnings under...

payments technology: JPMorgan backs UK payments technology company Icon Solutions – Latest News

JPMorgan Chase & Co has made a strategic investment in Icon Solutions, a UK-based company that advises and provides technology to banks to help...

tcl 4k tv: TCL expands its smart TV lineup with TVP615 Android TV, price starts at Rs 23,999

Expanding its smart TV lineup, consumer electronics brand TCL has launched its latest 4K UHD TV -- TVP615 in India. The TV runs

paytm: Parliamentary panel questions Paytm about Chinese investment, storing of data in servers abroad – Latest News

A parliamentary panel on Thursday questioned Paytm representatives about the quantum of Chinese investment in the company and told them that the servers on...