The Yahoo! Paranoids have the mission of protecting the privacy and security of a billion users. Its a tough but rewarding job and we wouldn’t have it any other way. Like many of you, we frequently use Open Source security tools to get the job done. These tools are often built by the security community for the security community. We value these mutually beneficial relationships, and believe that shared contributions by all members of the community are important.

Today we are happy to announce that we devoted two weeks to audit the osquery project. osquery is a valuable system security tool that enables the collection of data on processes, network connections and more. All of this is made available through a convenient and familiar SQL interface. Our audit of osquery consisted mainly of manual source code analysis and some light fuzzing. We reported 10 security vulnerabilities to Facebook along with additional hardening recommendations. The issues we uncovered ranged from uncaught C++ exceptions to an arbitrary file read (with the potential for privilege escalation with local system access by chaining together two different vulnerabilities). We communicated our findings to the Facebook osquery team who quickly took action to mitigate them. As of May 6th 2015 all of the fixes have been committed to the osquery git repository.

Thanks to the Facebook osquery team and the security community as a whole for your ongoing support. Be on the lookout for more security research and tools from Yahoo in the near future. We are just getting started!