German researchers first to get Facebook’s Internet Defense Prize

The best way to solve a problem is throw money at it, some people argue.

In IT security one way of doing that is buy offering bug bounties. Facebook — a co-sponsor of the Internet Bug Bounty — is among those trying a different way, sponsoring an Internet Defence Prize for research into making the Web a safer place.

The week the company announced the first US$50,000 prize has gone to two researchers from a German university. Johannes Dahse and Thorsten Holz, two researchers from Ruhr-Universität Bochum were given the award for their paper “Static Detection of Second-Order Vulnerabilities in Web Applications.”

According to a blog by John Flynn, Facebook’s security engineering manager and a member of the award committee, the researchers used static analysis to detect “second-order vulnerabilities” in Web applications that are used to inflict harm after being stored on the Web server ahead of time.

By analyzing reads and writes to memory locations of the Web server, they were able to identify unsanitized data flows by connecting input and output points of data in persistent data stores such as databases or session data, according to an abstract of their work. As a result, they could identify 159 second-order vulnerabilities in six popular Web applications such as the conference management systems HotCRP and Open- Conf. An analysis of Web applications evaluated in related also detected several critical vulnerabilities previously missed.

The technical merit of the paper was strong, Flynn said, “and the committee could see a clear path for applying the award funds to push the research to the next level in order to produce broader impact and encourage people to implement the technology. We’re very excited to see what they do next.”

A status report is due in about a year.

Facebook has partnered with the Usenix advanced computing systems association to evaluate submissions. The award was announced at this week’s Usenix security symposium.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now