Facebook’s penetration tester discovers intruder
A security researcher on a Facebook bug hunt found that the company servers had been compromised
Professional bounty hacker Orange Tsai uncovered another hacker's backdoor installed on Facebook's company servers, which had access to employee credentials.
Tsai found that at least one hacker, or possibly two, were responsible for exploiting Facebook's corporate network in July and September last year and potentially as recently as February this year. He discovered seven security vulnerabilities within the Facebook's network, and according to him the hackers could have gained access to email accounts, Facebook's virtual private network and other company tools.
"While collecting vulnerability details and evidences for reporting to Facebook, I found some strange things on web log," said Tsai. "The hacker created a proxy on the credential page to log the credentials of Facebook employees. These logged passwords were stored under web directory for the hacker to use [collect] every once in a while."
"At the time I discovered these, there were around 300 logged credentials dated between 1-7, from 1 February, mostly ‘@fb.com' and ‘@facebook.com'. Upon seeing it I thought it was a pretty serious security incident."
Penetration testing is where security researchers are hired to deliberately find vulnerabilities in systems and report them back. Facebook has a bug bounty program in place which pay rewards to anyone who can find problems with its websites or systems. Tsai was reportedly rewarded $10,000 for discovering this particular incident.
Facebook was informed of the hack on 5 February, which led to an internal investigation. Once completed, Tsai was able to publish what he found.
Facebook's security team member Reginaldo Silva commented on Tsai's findings, stating: "We determined that the activity Tsai detected was in fact from another researcher who participates in our bounty program.
"Neither of them were (sic) able to compromise other parts of our infrastructure, so the way we see it, it's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access."