55881921 story Facebook's Biggest Bounty Yet To Hacker Who Found "Keys To the Kingdom" 111 Posted by timothy on Thursday January 23, 2014 @09:38AM from the yeah-let's-talk dept. mask.of.sanity writes "Facebook has paid out its largest bug bounty of $33,500 for a serious remote code execution vulnerability which also returned Facebook's etc/passwd. The researcher could change Facebook's use of Gmail as an OpenID provider to a URL he controlled, and then sent a request carrying malicious XML code. The Facebook response included its etc/passwd which contained essential login information such as system administrator data and user IDs. The company quickly patched the flaw and awarded him for the proof of concept remote code execution which he quietly disclosed to them."