Fizz, Facebook’s implementation of the TLS protocol, had a critical security flaw that could have enabled attackers to perpetrate DoS attacks on servers.
According to IT firm Semmle which found this flaw, the vulnerability can be triggered by an unauthenticated remote attacker and can possibly corrupt web services that use Fizz. Luckily, Facebook has patched this flaw in recent versions of Fizz.
What is the vulnerability?
What is the issue - Kevin Backhouse, who identified and studied the flaw in detail, says that the integer overflows in Fizz are the root cause for the vulnerability.
“Fizz is written in a modern C++ style, so it’s unlikely to have something like a buffer overflow, which is so common in older C projects. That’s why I used QL to query for integer overflows instead. The overflow I found causes the code to enter an infinite loop, which could be used to launch a denial of service attack." said the Semmle security researcher.
What actions were taken - Once Backhouse informed Facebook of the flaw, the social media company fixed the overflow issue in a patch for new versions (2019.02.25.00 and later).