A Brazilian computer engineer just collected a $30,000 bounty from Facebook after he discovered a major security flaw that allowed him to hack incredibly sensitive information from the popular social media platform including administrator access, user IDs and passwords.
Reginaldo Silva discovered the flaw in OpenID — a popular software used by websites that allows users to access multiple accounts on various sites after logging into just one of them. Facebook and Google’s Gmail are just one example of an OpenID relationship, and that’s where Silva found what he called the “keys to the kingdom.”
By reading up on the use of OpenID, which Silva discovered a major flaw in two years ago, the well-intentioned hacker for hire was able to replace Gmail with another provider controlled by him.
The switch caused Facebook to send a request directly to Silva, and he replied to that request with a code of his own that caused Facebook to reply again with administrator access information.
“After all, having the ability to read (almost) any file and open arbitrary network connections through the point of view of the Facebook server, and which doesn’t go through any kind of proxy was surely something Facebook wanted to avoid at any cost,” Silva wrote when he posted his findings online.
After discovering the bug, Silva reported it to Facebook, which corrected the issue that day and rewarded the Brazilian engineer with $33,500 after he explained to the Silicon Valley tech giant a way in which he could have exploited the glitch in a much more widespread, damaging fashion.
Silva was a little disappointed with the sum after Facebook security head Ryan McGeehan told Bloomberg News back in 2012 that the company would pay $1 million for a discovery like Silva’s, as part of its “Bug Bounty” program designed to catch security flaws.
“We knew we wanted to pay out a lot because of the severity of the issue, so we decided to average the payout recommendations across a group of our program administrators,” Facebook said in a statement Wednesday. “As always, we design our payouts to reward the hard work of researchers who are already inclined to do the right thing and report bugs to the affected vendors.”