The researcher hacked Facebook after identifying and exploiting Unauthenticated RCE on MobileIron’s Mobile Device Management (MDM) used by the company’s employees.
Not every time a platform is found vulnerable because of its own fault, at least not entirely. Sometimes, a third-party service may be used which has a negative ripple effect on user security.
Such is the recent case of Facebook where a researcher Orange Tsai from DEVCORE found Facebook vulnerable to critical attacks because of a flaw in MobileIron. For your information, MobileIron is a Mobile Device Management (MDM) system used by the social network giant in order to control employees’ corporate devices.
The researcher identified 3 vulnerabilities centered around allowing attackers to engage in:
All of these were reported to MobileIron in March and a patch was released by the company afterward on June 15th, 2020. However, since it happens to be one of the most used MDMs out there with almost 20,000 companies under its belt, it was essential to see how fast these user-companies adopt the patch.
In doing so, one of the companies monitored was Facebook where after 15 days of tracking them, it was found that no action was taken by their team.
Keeping this in mind, Tsai gained remote access to Facebook’s server through a shell connection which is demonstrated in the video below:
Then the issue was reported to Facebook via their bug bounty program for which an unknown reward was also given to the researcher. In addition to this, Fortune Global 500 companies were also analyzed in which 15% of their MobileIron servers were found to be exposed as well.
We have demonstrated a completely unauthenticated RCE on MobileIron. There are other stories, but due to the time, we have just listed topics here for those who are interested: How to take over the employees’ devices from MDM, Disassemble the MI Protocol, and the CVE-2020-15506, an interesting authentication bypass, researcher wrong in their blog post.
To conclude, it is important for organizations to not only monitor their own systems for vulnerabilities but also those of their partner vendors. This can help narrow the attack surface a malicious actor may be able to exploit, especially for a company as large as Facebook’s.
Moreover, other MDM platforms such as AirWatch should also take a cue from this and work on securing their platforms.
Those of you interested in Tsai’s 2016 Facebook hack and finding someone else’s backdoor, check their blog post here.