Last week Facebook announced that they had widened the scope of their bug bounty program to include vulnerabilities found in their corporate network. I was lucky enough to find a vulnerability that helped lead to this change in policy.
Facebook operates internal mailing lists for all of its divisions, projects and teams. Facebook uses Mailman to manage its lists. Mailman offers both a web interface and an email interface for accessing mailing lists. Through the web interface a user can browse, access the archives, and subscribe and unsubscribe to lists. Through the email interface a user can accomplish these same tasks by sending commands to any list’s “listname-request@” address. The email interface to Facebook’s internal mailing lists was left open to commands sent by anyone, allowing the “lists” command to be sent to the “-request” address of any known list (the name of one was not hard to guess) and a list of all of the public lists on the server (over 2,000) to be returned. The “subscribe” command could then be sent to any of the lists to subscribe. Even though I was a jerk and reported this issue to Facebook on a Friday, a fix was in place by Monday. Facebook paid out a bounty of $4,000 for this issue.