SIMonline

Service receive & sending SMS

Facebook pays $ 10,000 for DoS error in Fizz TLS library

122   |     /   Security
Facebook pays $ 10,000 for DoS error in Fizz TLS library
Although Facebook’s error reward program usually does not cover Denial of Service (DoS) vulnerabilities, the social media giant has decided to award a significant reward for a serious flaw related to Fizz, its open source TLS library.



To register a Facebook page, you need a mobile number to confirm your account, you can buy a virtual number for receiving SMS and receive a confirmation code online without indicating personal data.

Fizz, released by Facebook as an open source in August 2018, is the company's implementation of the TLS 1.3 cryptographic protocol. At the time Fizz was unveiled, Fizz was used to protect communications in its mobile applications, load balancers, internal services, Proxygen HTTP, and other applications. Other open source organizations and projects may also have started using it as an open source after its release.

Facebook Fizz Vulnerability.
A Semmle code analysis researcher found that Fizz is vulnerable to a DoS vulnerability that could be easily activated by an unauthenticated remote attacker. Using this drawback leads to the fact that Fizz goes into an endless cycle, as a result of which the web service becomes inaccessible. The flaw cannot be used to gain access to user data, both Facebook and Semmle have confirmed.

“The impact of this vulnerability is that an attacker could send a malicious message via TCP to any server using Fizz and run an endless loop on that server. This can make the server immune to other clients, ”explained Kevin Backhouse, a Semmla researcher who discovered the flaw.

“The message size is a little over 64 KB, so this attack is extremely cheap for an attacker, but it damages the server. To illustrate this, one computer with a normal Internet connection (download speed of 1 Mbps) can send two such messages per second. Since each message knocks out one CPU core, it will only take a small botnet to quickly weaken the entire data center, ”he added.

This vulnerability was reported to Facebook on February 20, and on the same day a patch was released for Facebook's internal systems. The patch was sent to GitHub five days later - the patch is included in version 2019.02.25.00 and later.

Although Facebook’s bug reward program usually doesn’t cover DoS vulnerabilities, the company decided to award a reward of $ 10,000 due to the fact that the problem “could have significant risk”. Semml donated an award to charity, so Facebook doubled the amount, and the code analysis firm also picked up the original award and donated it to another charity.

Similar news


Fire Control: API Automation Risks

Consider trends in API attacks, such as current (and failed) architectural solutions to secure these API transactions.

Trojan SpeakUp threat to Linux server

Researchers believe the new trojan could be the catalyst for the upcoming major cyber attack, armed with an impressive package of exploits and other tricks to spread.

What are data manipulation attacks and how to deal with them?

Hackers do not always steal data. Sometimes the goal is to manipulate data in order to deliberately trigger external events that can be profitable.



SIMONLINE.SU

This is not only a service for receiving and sending SMS messages to virtual numbers, but also a tutorial on user safety in the modern world, the latest developments in IT, social media security, fresh programs and lessons that simplify our lives. So are other issues encountered by the average user. In simple words, each user will find for themselves something interesting or answers to their questions.

SIMonline © 2020

All rights reserved