Facebook patches security flaw based on 19-year-old bug; other sites may still be vulnerable
Facebook has paid a group of researchers a bug bounty prize for notifying the company of a severe vulnerability based on a slight modification of an encryption bug from 1998 that was until now presumed to be patched by most major websites, Forbes reported. The researchers say many more websites could be vulnerable.
The trio of researchers – Hanno Böck and Juraj Somorovsky from Germany, and Craig Young from the United States – dubbed the vulnerability “ROBOT” in a blog post published on Tuesday and say that it could affect subdomains on 27 of the top 100 websites on Alexa, the web traffic analytics website. The bug can let a hacker sit between a user and a website’s server and intercept private information, such as passwords.
The vulnerability is based on the 19-year-old Bleichenbacher attack, by which an attacker can figure how to break through a websites’s encryption using a barrage of queries. The attack’s existence predates the birth of Facebook by more than a half-decade and targets the widely used RSA encryption algorithm.
According to a blog post by the researchers, security experts originally responded to the revelation of the Bleichenbacher attack by keeping the vulnerable encryption modes and simply adding countermeasures. While the vulnerability is ancient by internet standards, Böck told CyberScoop that researchers have been aware of lingering flaws.
“There’s been research about this for a while that everyone involved in crypto[graphy] knew about,” Hanno Böck said in an email. “It was a relatively obvious thing to look for.”
Forbes reported that Facebook patched for ROBOT in October. Böck said several other vendors have been identified as vulnerable and the researchers are maintaining an up-to-date patch list on their website. Having published all the information, Böck said that the work is mostly done. But there remains one major IT company that has not addressed the flaw, he said, declining to name it.
“I can say that they acted very poorly on this. They communicated almost not at all with us and refused to answer basic questions about their timeline for a fix,” Böck said.
Böck also declined to disclose the bounty awarded by Facebook, but said that it was “very fair” and that the researchers received a few minor bounties from other companies.