This bug bounty hunter hacked Facebook but soon realize there’s something fishy going on
A hacker taking advantage of Facebook’s bug bounty program hacked into a Facebook employee through a web app was and saw someone else had already placed a malware in the system. The hacker who works for Taiwan-based outfit Devcore, Orange Tsai recently got paid $10,000 by Facebook after noticing a bug in one of the social media’s systems. Orange Tsai was successful in getting the vulnerable system back in February.
Orange Tsai, the security expert who belongs to the DevCore firm, has detected a malicious webshell on the Facebook staff server while he was analysing the security infrastructure of the social network. While doing so, he came across a domain named files . fb. com, which piqued his curiosity. To satiate it he tried to gain access to the domain and discovered that it was home to Accellion File Transfer Appliance, which is used by many companies. This malware was stealing the user details of the employees of the tech giant.
This shows Facebook’s security is a myth
Enkindled by this chance discovery, he decided to dig deep and explore further flaws in the security build-up of the software. And what he found was quite astounding – it included a catch of 7 zero-day flaws, including cross-site scripting, remote code execution, and local privilege escalation vulnerabilities. He also got to know that the company had recently fixed an already known flaw in the system.
In a write-up that he published recently on the Devcore blog, he describes his discoveries – “FTA is a product which enables secure file transfer, online file sharing and syncing, as well as integration with Single Sign-on mechanisms including AD, LDAP, and Kerberos. The Enterprise version even supports SSL VPN service. Upon seeing this, the first thing I did was searching for publicized exploits on the internet.”
As the discoveries began to spiral, the expert realised that the hackers used a code that had managed to extract at least 300 employees’ credentials between the 1st of February and the 7th. On going through the logs, he saw that major infiltrations by the hackers had been made twice – once in July 2015 and later in September 2015. However, there are no proofs to suggest that these were carried out by the same hacker. Also, it wasn’t possible to know how this malicious web shell referred to as Accellion File Transfer Appliance was deployed.
Facebook’s security engineer, Reginaldo Silva said that the malware was installed by another security researcher, who like Tsai, had browsed through the security system in search of some bug bounty. Expressing his immense mirth at Orange discovering the vulnerability, he said – “In this case, the software we were using is the third party. As we don’t have full control of it, we ran it isolated from the systems that host the data people share on Facebook.”
In recognition of his work, Tsai was rewarded with $10,000 by the tech-giant.
This is not the first time when a bug bounty hunter hacked into the system owned by Facebook. In December 2015, a researcher hacked Instagram and managed to crack his way through Instagram defences and almost get complete control over the service. Soon after the researcher disclosed the vulnerability to Facebook, the company threatened to sue, instead of paying the reward he was due for his work.