Mihir :-)

A Taiwan-based security researcher, known as "Orange Tsai," who was awarded a $10,000 bug bounty in February published a report detailing the exploits that led to his discovery of illicit code on a Facebook server.

A consultant at the security firm Devcore, Orange Tsai said he discovered malware that provided access to Facebook employee's passwords, which had been used by a remote attacker to gain access to employee emails and shared files.

The accessed information appears not to have compromised Facebook users. The researcher wrote that he noticed that Facebook's server used Accellion's web-based Secure File Transfer service, a web application that, while popular among large companies like Facebook, has previously been found to contain serious security issues.

This caught the researcher's attention, and led him to look for potential vulnerabilities in the file transfer application. He ultimately discovered several vulnerabilities, including a SQL injection flaw that enabled remote code execution.

A member of Facebook's security group wrote on Hacker News that Facebook did not have full control of the software, so it was run isolated from systems that host the company's user data. “We do this precisely to have better security, wrote Reginaldo, the Facebook employee. “After incident response, we determined that the activity Orange detected was in fact from another researcher who participates in our bounty program.”

Once Orange Tsai gained access to Facebook's server, he explored the web server log files and noticed an unusual traffic pattern, which led to his discovery of the illicit code.

Read more: Researcher find backdoor that accessed Facebook employee passwords
Last edited by a moderator: