{"id":610,"date":"2022-07-20T16:00:05","date_gmt":"2022-07-20T16:00:05","guid":{"rendered":"https:\/\/fde.cat\/index.php\/2022\/07\/20\/how-meta-and-the-security-industry-collaborate-to-secure-the-internet\/"},"modified":"2022-07-20T16:00:05","modified_gmt":"2022-07-20T16:00:05","slug":"how-meta-and-the-security-industry-collaborate-to-secure-the-internet","status":"publish","type":"post","link":"https:\/\/fde.cat\/index.php\/2022\/07\/20\/how-meta-and-the-security-industry-collaborate-to-secure-the-internet\/","title":{"rendered":"How Meta and the security industry collaborate to secure the internet"},"content":{"rendered":"

Bug hunting is hard and can sometimes go unnoticed across our industry. Building scalable bug detection methods across large codebases and open source libraries is an underappreciated yet critical effort every engineering company has to work through. Because the ideal outcome is that bugs are found and fixed before they are exploited, some of our industry\u2019s best work is often unknown.\u00a0<\/span><\/p>\n

However, information sharing about bug discoveries between our engineers, or between bug bounty researchers, has generated new ideas and led to novel ways to improve the security of our platform. We believe that sharing our key learnings externally on a more regular basis is an important step forward for transparency and advancement across our industry.<\/span><\/p>\n

Today, we\u2019re excited to publish the first in a series of regular Bug Bulletins, in which we\u2019ll share the details of some of the notable finds identified in our own, and in third-party, code. We\u2019ll use these bulletins to share overviews \u2014 and occasionally deep dives \u2014 into specific bugs, as well as updates on relevant security programs.<\/span><\/p>\n

How we hunt for bugs at Meta<\/span><\/h2>\n

Before we dive into recent learnings, here is a bit of context on how we look for security bugs at Meta: Finding and fixing bugs is an essential part of our <\/span>\u201cdefense-in-depth\u201d security strategy<\/span><\/a>. This approach means we\u2019ve implemented layers of protections across our platform. If a vulnerability in our code makes it past one line of defense, we have additional layers of support to prevent and address bugs as quickly as possible.<\/span><\/p>\n

As it\u2019s practically impossible to write flawless code, it\u2019s not uncommon for software \u2014 both in-house and open source \u2014 to have bugs. Like our peers, our strategy is twofold: While we\u2019re constantly working on improving the quality of our code before it makes it into production, we also build in layers of protection to prevent and detect bugs in existing code as quickly as possible.<\/span> We rely on a combination of <\/span>automated tooling<\/span><\/a>, security reviews, <\/span>red teaming<\/span><\/a>, and our <\/span>Bug Bounty program<\/span><\/a> to help keep our community safe. This work isn\u2019t done in a vacuum or within one single team. And often, bugs that are discovered in one product area can inform the way we approach our work in an entirely different part of the codebase.\u00a0<\/span><\/p>\n

In this first post in the series, we\u2019ll share notable bugs that we\u2019ve found and fixed in our own software and reported to third-party developers, and we\u2019ll highlight some of the finds by our bug bounty researchers.<\/span><\/p>\n

Static analysis work\u00a0<\/span><\/h2>\n

Our automated <\/span>static analysis tools<\/span><\/a> help us review large amounts of code at scale, which frees up time for our engineers to analyze more complex scenarios. <\/span>Over the past five years, we\u2019ve built and continuously improved our homegrown tools \u2014\u00a0they now help us find about 70 percent of the security vulnerabilities we discover. For example, our work on <\/span>Zoncolan<\/span><\/a>, which reviews Hack code, has helped us find over 1,300 bugs this year.\u00a0<\/span><\/p>\n

Zoncolan recently identified a bug in Messenger\u2019s back-end production that could have allowed a bad actor to inject \u201cYou celebrated a friendversary with a friend\u201d into a <\/span>chat thread between any two pe<\/span>ople. This could have been leveraged by a malicious actor to create a false sense of long-term authentic connection to exploit for scams. The message would have appeared inside someone\u2019s Chat List if they were already connected or in their Message Request folder if they weren\u2019t. Zoncolan found this bug by observing that our systems were accepting user input and creating a viewer context out of it. <\/span>These vulnerable endpoints did not have any front-end integration and were not present anywhere in our apps in production. Our team quickly reviewed the report from Zoncolan, found no evidence of abuse, and mitigated the impacted endpoints to fix the issue.\u00a0<\/span><\/p>\n

Red Team X work<\/span><\/h2>\n

In addition to bug hunting in our own code, our <\/span>Red Team X<\/span><\/a> works to spot security vulnerabilities in external hardware and software and keep the broader internet safe. As part of our responsible disclosure policy, we regularly report bugs in third-party code to companies and work directly with them to test and confirm their mitigations.<\/span> Here are a few recent examples of interesting collaborations we\u2019ve had across the industry.\u00a0<\/span><\/p>\n

Our team is working with Schneider Electric, a company that <\/span>specializes in digital automation and energy management<\/span>, to fix a set of vulnerabilities in two Ethernet modules that bring modern networking capabilities to the M580 line of PLCs (<\/span>programmable logic controllers)<\/span>. PLCs or PACs (programmable automation controllers) allow equipment to act on complex instructions and are used in industrial control systems for machinery across many industries. When chained together, the identified vulnerabilities could enable an authenticated attacker to bypass multiple firmware verification stages and the module\u2019s secure boot process, remotely overwriting the module\u2019s firmware. This could lead to either permanently bricking or backdooring the device. To exploit these vulnerabilities, an attacker would require network access and valid credentials for the privileged \u201cinstaller\u201d account. Schneider Electric is performing a comprehensive analysis to identify and provide fixes for all products affected by these findings. These vulnerabilities have been assigned <\/span>CVE-2022-34759, CVE-2022-34760, CVE-2022-34761<\/span><\/a>, <\/span>CVE-2022-34762, CVE-2022-34763<\/span><\/a>, <\/span>CVE-2022-34764<\/span><\/a>, and <\/span>CVE-2022-34765<\/span><\/a>.<\/span><\/p>\n

We also worked with Airspan, a company that provides hardware and software for 4G and 5G networks, to harden a line of eNodeBs, the wireless access points that provide cell service to phones and other LTE devices and allow them to connect to the network. We reported issues and verified fixes for vulnerabilities that could have allowed both local and networked adversaries to gain root command execution. By controlling the \u201clast hop\u201d of LTE infrastructure, an attacker could have impacted availability by disabling cell service. Our investigation found that while an attacker could have accessed the encrypted user traffic, they would not have been able to decrypt it. A malicious actor could have used their access to pivot further into cellular infrastructure to further impact the company networks where these eNodeBs are deployed, or even to connect to major network operators that route and handle LTE data and calls. These issues have been assigned <\/span>CVE-2022-36306<\/span><\/a>, <\/span>CVE-2022-36307<\/span><\/a>, <\/span>CVE-2022-36308<\/span><\/a>, <\/span>CVE-2022-36309<\/span><\/a>, <\/span>CVE-2022-36310<\/span><\/a>, CVE-2022-36311, and CVE-2022-36312.<\/span><\/p>\n

Our Red Team X recently reported a vulnerability in Apple\u2019s Big Sur operating system that allows for kernel code execution in Darwin kernels. This could have been exploited by forking processes and leveraging the host_request_notification API. We found this bug through a manual audit of Darwin Kernel and experimentation. Apple disclosed the vulnerability and released software fixes in Security Update 2021-005 Catalina; iOS 14.8 and iPadOS 14.8; tvOS 15; iOS 15 and iPadOS 15; watchOS 8; and macOS Big Sur 11.6. This finding was assigned<\/span> CVE-2021-30857<\/span><\/a>.<\/span><\/p>\n

Through manual code review, Red Team X also found a series of bugs in EternalTerminal, a third-party open source remote terminal service that can automatically reconnect after events like network outages and IP roaming without interrupting the session. Most notably, they reported a bug that could allow the attacker to change ownership permissions on arbitrary files and subsequentl<\/span>y gain <\/span>root privileges on the host machine.<\/span> These bugs have been patched by the maintainers of EternalTerminal and assigned <\/span>CVE-2022-24949<\/span><\/a>, <\/span>CVE-2022-24950<\/span><\/a>, <\/span>CVE-2022-24951<\/span><\/a>, and <\/span>CVE-2022-24952<\/span><\/a>.\u00a0 <\/span><\/p>\n

Bug bounty work<\/span><\/h2>\n

One benefit of having a 10-plus-year <\/span>Bug Bounty program<\/span><\/a> is that some of our researchers have dedicated years to hunting on our platform and have become extremely familiar with our products and services. These researchers are able to dig beyond surface-level issues and help us identify impactful but niche bugs that the broader community wouldn\u2019t necessarily know to look for.<\/span><\/p>\n

For example, one of our longtime researchers, Youssef Sammouda, spent seven months hunting for bugs on our Facebook API, known as Canvas App. Over a decade ago, we created the Canvas App to help developers embed their games and apps on our web gaming platform. Sammouda audited the client-side code inside<\/span> apps.facebook.com<\/span><\/a> and found a number of high-severity bugs in our OAuth implementation that could have led to an account takeover scenario. These were complex scenarios where, to attempt to exploit the bugs, an attacker would need to trick their target into clicking a link, for example. We investigated these reports, fixed the issues, and found no evidence of abuse. In total, Sammouda submitted six bug reports <\/span>to us, totaling $187,250 in bou<\/span>nty awards. To date, this is the largest series of payouts we\u2019ve issued to one researcher for a single implementation. We\u2019ve worked with him to confirm our mitigations, and we appreciate his continued partnership in testing our defenses. Sammouda shared additional insights and advice for security researchers in<\/span> his blog<\/span><\/a>.<\/span><\/p>\n

Another of our longtime researchers, Philippe Harewood, recently identified an endpoint vulnerability that could have allowed a malicious actor to retrieve an Instagram app access token. The great benefit of working through these reports with our researchers is that even when we have protections in place to prevent the most impactful exploit scenarios \u2014 like in this case \u2014 collaboration often leads us to make changes to prevent similar issues in the future across our codebase, and we reward researchers on the potential maximum impact we find as a result of our own internal security research. We fixed this endpoint issue, have not seen any indicators of abuse, and awarded Harewood a $30,000 bounty award.\u00a0<\/span><\/p>\n

We are thankful to the security community for contributing great research to our program. We\u2019re continuing to do our part to expand the pool of researchers to join the bug bounty community. Last month, we hosted our inaugural <\/span>BountyConEDU conference<\/span><\/a> in Madrid, where we invited university students and recent graduates across Europe to learn how we investigate reports<\/a> and to participate in a live hacking event. <\/span>Over three days, we received 26 valid reports and paid out more than $35,000 in bounties. <\/span>This pilot event far surpassed our expectations, and we are excited to use our learnings to create similar opportunities around the world.\u00a0<\/span><\/p>\n

As we continue to shape the format of these <\/span>Bug Bulletin<\/span> updates, we welcome any feedback from our industry partners and peers and hope they will let us know what they\u2019d find most beneficial to read about next on <\/span>the Engineering at Meta blog<\/span>.<\/span><\/p>\n

The post How Meta and the security industry collaborate to secure the internet<\/a> appeared first on Engineering at Meta<\/a>.<\/p>\n

Engineering at Meta<\/p>","protected":false},"excerpt":{"rendered":"

Bug hunting is hard and can sometimes go unnoticed across our industry. Building scalable bug detection methods across large codebases and open source libraries is an underappreciated yet critical effort every engineering company has to work through. Because the ideal outcome is that bugs are found and fixed before they are exploited, some of our… Continue reading How Meta and the security industry collaborate to secure the internet<\/span><\/a><\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","footnotes":""},"categories":[7],"tags":[],"class_list":["post-610","post","type-post","status-publish","format-standard","hentry","category-technology","entry"],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":516,"url":"https:\/\/fde.cat\/index.php\/2021\/12\/15\/charting-the-future-of-our-bug-bounty-program\/","url_meta":{"origin":610,"position":0},"title":"Charting the future of our bug bounty program","date":"December 15, 2021","format":false,"excerpt":"We\u2019re tackling the industry-wide issue of scraping by expanding our bug bounty program to reward valid reports of scraping bugs and unprotected data sets. To the best of our knowledge, this is an industry first.\u00a0 Looking toward the future, we\u2019re also launching new educational opportunities for researchers and hosting our\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":492,"url":"https:\/\/fde.cat\/index.php\/2021\/10\/20\/facebook-engineers-receive-2021-ieee-computer-society-cybersecurity-award-for-static-analysis-tools\/","url_meta":{"origin":610,"position":1},"title":"Facebook engineers receive 2021 IEEE Computer Society Cybersecurity Award for static analysis tools","date":"October 20, 2021","format":false,"excerpt":"Until recently, static analysis tools weren\u2019t seen by our industry as a reliable element of securing code at scale. After nearly a decade of investing in refining these systems, I\u2019m so proud to celebrate our engineering teams today for being awarded the IEEE Computer Society\u2019s Cybersecurity Award for Practice for\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":609,"url":"https:\/\/fde.cat\/index.php\/2022\/07\/20\/using-hermess-quicksort-to-run-doom-a-tale-of-javascript-exploitation\/","url_meta":{"origin":610,"position":2},"title":"Using Hermes\u2019s Quicksort to run Doom: A tale of JavaScript exploitation","date":"July 20, 2022","format":false,"excerpt":"At Meta, our Bug Bounty program is an important element of our \u201cdefense-in-depth\u201d approach to security. Our internal product security teams investigate every bug submission to assess its maximum potential impact so that we can always reward external researchers based on both the bug they found and our further internal\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":263,"url":"https:\/\/fde.cat\/index.php\/2021\/08\/31\/minesweeper-automates-root-cause-analysis-as-a-first-line-defense-against-bugs\/","url_meta":{"origin":610,"position":3},"title":"Minesweeper automates root cause analysis as a first-line defense against bugs","date":"August 31, 2021","format":false,"excerpt":"Root cause analysis (RCA) is an important part of fixing any bug. After all, you can\u2019t solve a problem without getting to the heart of it. But RCA isn\u2019t always simple, especially at a scale like Facebook\u2019s. When billions of people are using an app on a variety of platforms\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":721,"url":"https:\/\/fde.cat\/index.php\/2023\/06\/05\/sre-weekly-issue-375\/","url_meta":{"origin":610,"position":4},"title":"SRE Weekly Issue #375","date":"June 5, 2023","format":false,"excerpt":"View on sreweekly.com A message from our sponsor, Rootly: Curious how companies like Figma, Tripadvisor, and 100s of others leverage Rootly to manage incidents in Slack and unlock instant best practices? Check out this lightning demo: https:\/\/www.loom.com\/share\/051c4be0425a436e888dc0c3690855ad Articles How can you land 5 kilometers above the Moon? An in-depth analysis\u2026","rel":"","context":"In "SRE"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":615,"url":"https:\/\/fde.cat\/index.php\/2022\/07\/28\/five-security-principles-for-billions-of-messages-across-metas-apps\/","url_meta":{"origin":610,"position":5},"title":"Five security principles for billions of messages across Meta\u2019s apps","date":"July 28, 2022","format":false,"excerpt":"At Meta, our messaging apps help billions of people around the world stay connected to those who matter most to them. This scale brings potential threats from criminals and hackers, so we have a responsibility to keep people and their data safe. We\u2019re sharing a set of principles to ensure\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/610","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/comments?post=610"}],"version-history":[{"count":0,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/610\/revisions"}],"wp:attachment":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/media?parent=610"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/categories?post=610"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/tags?post=610"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}