Reporting bad regex for a cool $10k #cybersecurity #bugbounty #developer #computerscience #javascrip

Introduction

In the world of cybersecurity, even the smallest mistakes can lead to significant vulnerabilities. A recent incident involving only two characters in JavaScript code demonstrated just how impactful these tiny errors can be. In this case, a security researcher discovered an account takeover vulnerability on Facebook, earning a $ 10,000 reward for their findings.

The Vulnerability

The vulnerability was found in the way Facebook implemented a regular expression (regex) for pattern matching. Regex is used to ensure that URLs coming into Facebook are owned by Facebook, by matching them against an expected pattern. However, the Facebook regex was missing two critical characters: a slash ("/") and a dot ("."). Without these characters, a URL that was not actually a Facebook URL could pass through the regex validation, leading to a potential security breach.

Here is an example of such a URL: http://example.com.facebook.com. This URL appears to be part of Facebook but can point to an external site.

The Impact

Such issues are hard for developers to catch because security tools usually do not notice these kinds of problems since they do not understand the developer's intentions behind the regex. This oversight can result in significant security risks, as seen in this case.

The Solution

To avoid these types of mistakes, security-sensitive operations should be placed into shared libraries. This way, developers don't need to redevelop the same functionalities repeatedly, reducing the chance of introducing errors.

Bug Bounty Culture

Until such development practices become standard, bug bounty researchers remain crucial in identifying and reporting these vulnerabilities. Their efforts not only help enhance security but also allow them to earn substantial rewards, as demonstrated by this $ 10,000 payout for reporting the regex issue.

### Keywords

* Security researcher
* Account takeover vulnerability
* JavaScript
* Regex
* Pattern matching
* URL validation
* Facebook
* Shared Library
* Bug bounty
* \$ 10,000 reward

FAQ

Q: What led to the account takeover vulnerability on Facebook?
A: A flaw in the regex used for URL validation allowed non-Facebook URLs to pass through, leading to a security vulnerability.

Q: What characters were missing in the regex?
A: The missing characters were a slash ("/") and a dot (".").

Q: How did the researcher benefit from finding this vulnerability?
A: The researcher received a $ 10,000 reward from Facebook.

Q: Why are such issues challenging for developers to catch?
A: Security tools often don't detect such issues because they don't understand the developer's intentions behind the regex.

Q: What's the recommended solution to prevent such vulnerabilities?
A: Security-sensitive operations should be placed into shared libraries to prevent developers from having to repeatedly develop the same functionality, reducing the chance for errors.