fbpx
Friday, January 22, 2021

Facebook pays 2.4 million to Indian security researcher for bug alert

Reading Time: 2 minutes
Facebook pays 2.4 million to Indian security researcher for bug alert

It is raining bug bounties for Indian ethical hackers and cybersecurity researchers as now, an Ahmedabad-based security researcher Bipin Jitiya has won Rs 2.4 milion ($31,500) from Facebook for identifying a bug in its social networking platform and a third-party business intelligence portal.

Jitiya, 26, identified the web security vulnerability in internal blind Server-Side Request Forgery (SSRF) in the source code of a publicly accessible endpoint, built using tools from MicroStrategy, that performed custom data collection and content generation.

- Advertisement -

MicroStrategy has partnered with Facebook on data analytics projects for several years. Jitiya reported the bug to the MicroStrategy’s security team, who acknowledged it, saying the issue has been mitigated.

“I have always aimed in finding bugs in Facebook because it is the biggest social network on Earth with best-in-class security features in place. This time, they have awarded me with $31,500 for finding a critical bug. I have identified bugs in their systems in the past too,” Jitiya told IANS on Monday.

In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. In typical SSRF attacks, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization’s infrastructure, or to external third-party systems.

“I created a scenario that shows how the sensitive information leakage may be useful for launching specific attacks like path traversal and Server Side Request Forgery (SSRF). If an attacker is able to learn the internal IP addresses of the network, it is much easier for him/her to target systems in the internal network,” explained Jitiya.

The bug has now been fixed.

“When I first got this bug on Facebook server I tried to convert it to RCE (remote code execution) but, unfortunately, they implemented good security measures. However, I made a total of $31500 ($1,000 + $30,000 + $500) from this vulnerability,” he informed.

On a question whether he would join Facebook cybersecurity research team if given an offer, Jitiya told us: “I would like to stay in India and work as a security researcher for Indian firms. I am not a bug bounty hacker”.

Last month, a 27-year-old Indian security researcher Bhavuk Jain grabbed $100,000 (over Rs 75.5 lakh) from Apple for discovering a now-patched Zero Day vulnerability in the Sign in with Apple account authentication.

The Zero Day vulnerability could have allowed a hacker to break into an Apple user’s account who log into third-party apps like like Dropbox, Spotify, Airbnb and Giphy (now acquired by Facebook) and more.

“Indian ethical hackers and security researchers have come of age, and are now creating headlines the world over with their unmatched skills,” said Jitiya.

READ ALSO: Cyberattacks increase by 37 per cent in India in Q1, 2020

- Advertisement -

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Podcasts

Ep8: Indian links in Indigenous Australian poet Ali Cobby Eckermann’s life

0
To celebrate NAIDOC week 2020 (between 8-15 November) I spoke to Yakunytjatjara poet Ali Cobby Eckermann about her time in India where she taught...

Ep 7: In the case of Sushant Singh Rajput

0
  The torrid and high-octane Sushant Singh Rajput case has been fodder for Indian people and press for the last few months. The actor’s tragic...

Ep 6: The Indian LGBTQ+ community in 2020

0
  It’s been two years since the world’s largest democracy repealed the draconian Section 377 which used to allow discrimination against homosexual people. Only this...

Latest News

lilly singh

WATCH: Lilly Singh as Sima Taparia in “Indian Matchbreaking”

0
  Whether we liked it or not, most of us gave into the Sima Taparia craze during lockdown. Within days, we'd all binged on Netflix's...
karl rock

From New Zealand to New Delhi: Meet YouTube’s Karl Rock

0
  When Karl Rock picks up the phone (with a cheerful ‘Namaste!’ no less), his New Zealand accent is apparent. That is, until he bursts...
Buddhist Kung Fu nuns kicking hard at centuries-old taboos

India’s Buddhist Kung Fu nuns

0
  They are the Buddhist Kung Fu nuns of Drukpa lineage, known globally for trekking across the Himalayas to pick up trash, paddling through mountain...
jhansi strawberries

Strawberries to write a new chapter of development in Jhansi

0
  Jhansi which is well-known as the land of valour is all set to write a new chapter and strawberry cultivation would play a pivotal...

WATCH: Aussies try to guess Indian slang

0
  Many new migrants have had to quickly learn the local lingo upon arriving in Australia, picking up the ie's and the o's as part...