A critical remote code execution vulnerability in a Facebook server was recently patched after security researcher Daniel ‘Blaklis’ Le Gall reported it using a proof-of-concept.
The vulnerability was found in an unstable Sentry service – a cross-platform application capable of collecting logs and debugging Python apps – written in Python with the Django library. Occasional crashes of the application revealed that the Django debug mode was not turned off, causing the stack traces to return information about session cookie names, options, and used serializer (Pickle).
