Security News > 2021 > March > Facebook Paid Out $50K for Vulnerabilities Allowing Access to Internal Systems
A researcher says he has earned more than $50,000 from Facebook after discovering vulnerabilities that could have been exploited to gain access to some of the social media giant's internal systems.
Abdulridha also claimed the account takeover attack may have allowed a hacker to access accounts for other internal Facebook applications as well, but Facebook told SecurityWeek it had not found any evidence to suggest that the flaw could be escalated to access other internal accounts.
Facebook has clarified that the vulnerabilities reported by Abdulridha actually affected a third-party service designed for signing documents and they impacted anyone using this service, not just Facebook.
The company also pointed out that the first vulnerability only allowed access to accounts within the third-party document signing app, but did not grant access to any employee accounts used for other internal applications.
While the researcher claimed that it took Facebook nearly 6 months to patch the second round of vulnerabilities, the company told SecurityWeek that while the report was only closed in February, the bugs were actually completely fixed - by both Facebook and the third-party vendor - within a few days.
Facebook also said that while it paid out a bug bounty based on the maximum possible impact it could determine, it did not agree with the researcher's belief that the SSRF vulnerabilities could have been escalated to remote code execution.