A hacker taking advantage of Facebook’s bug bounty program hacked into a Facebook employee through a web app was and saw someone else had already placed a malware in the system. The hacker who works for Taiwan-based outfit Devcore, Orange Tsai recently got paid $10,000 by Facebook after noticing a bug in one of the social media’s systems. Orange Tsai was successful in getting the vulnerable system back in February.
Orange Tsai, the security expert who belongs to the DevCore firm, has detected a malicious webshell on the Facebook staff server while he was analysing the security infrastructure of the social network. While doing so, he came across a domain named files . fb. com, which piqued his curiosity. To satiate it he tried to gain access to the domain and discovered that it was home to Accellion File Transfer Appliance, which is used by many companies. This malware was stealing the user details of the employees of the tech giant.
This shows Facebook’s security is a myth
Enkindled by this chance discovery, he decided to dig deep and explore further flaws in the security build-up of the software. And what he found was quite astounding – it included a catch of 7 zero-day flaws, including cross-site scripting, remote code execution, and local privilege escalation vulnerabilities. He also got to know that the company had recently fixed an already known flaw in the system.
In a write-up that he published recently on the Devcore blog, he describes his discoveries – “FTA is a product which enables secure file transfer, online file sharing and syncing, as well as integration with Single Sign-on mechanisms including AD, LDAP, and Kerberos. The Enterprise version even supports SSL VPN service. Upon seeing this, the first thing I did was searching for publicized exploits on the internet.”
As the discoveries began to spiral, the expert realised that the hackers used a code that had managed to extract at least 300 employees’ credentials between the 1st of February and the 7th. On going through the logs, he saw that major infiltrations by the hackers had been made twice – once in July 2015 and later in September 2015. However, there are no proofs to suggest that these were carried out by the same hacker. Also, it wasn’t possible to know how this malicious web shell referred to as Accellion File Transfer Appliance was deployed.