Stephen Sclafani

Hacking Facebook’s Corporate Network for Fun and Profit

July 31st, 2012

Last week Facebook announced that they had widened the scope of their bug bounty program to include vulnerabilities found in their corporate network. I was lucky enough to find a vulnerability that helped lead to this change in policy.

Facebook operates internal mailing lists for all of its divisions, projects and teams. Facebook uses Mailman to manage its lists. Mailman offers both a web interface and an email interface for accessing mailing lists. Through the web interface a user can browse, access the archives, and subscribe and unsubscribe to lists. Through the email interface a user can accomplish these same tasks by sending commands to any list’s “listname-request@” address. The email interface to Facebook’s internal mailing lists was left open to commands sent by anyone, allowing the “lists” command to be sent to the “-request” address of any known list (the name of one was not hard to guess) and a list of all of the public lists on the server (over 2,000) to be returned. The “subscribe” command could then be sent to any of the lists to subscribe. Even though I was a jerk and reported this issue to Facebook on a Friday, a fix was in place by Monday. Facebook paid out a bounty of $4,000 for this issue.

  • Alex

    Can you give any sort of insight into how you discovered this vulnerability?

  • @Alex I have been doing penetration testing for companies for many years and this is an issue I have run into before. For Facebook the challenge was first figuring out what domain they were running their mailing lists from and then guessing a name of an existing list.

  • Did you do this when you guessed correctly?

  • Dylan

    Just out of curiosity Stephen, when ‘figuring out what domain they were running their mailing lists from and then guessing a name of an existing list’, was this done just randomly on a hunch, or was there some specific methodology or automation to this process at all?

  • Pingback: | With Millions Paid in Hacker Bug Bounties, Is the Internet Any Safer?()

  • wazir

    Hi stephen ,

    can you please elaborate how were you able to identify the mailing list and which domain runing the mailing list